[April-15-2025] Daily Cybersecurity Threat Report – Part 2

Introduction

This report details significant cybersecurity incidents observed over the 24-hour period ending April 15, 2025. The analysis is based on processed data feeds and is enriched with threat actor intelligence derived from available sources. The observed activity highlights the continued prevalence of Distributed Denial of Service (DDoS) attacks orchestrated by hacktivist groups, often linked to geopolitical tensions, alongside persistent ransomware campaigns targeting diverse sectors globally.

Executive Summary

The threat landscape on April 15, 2025, was characterized by significant DDoS activity and multiple ransomware incidents. Prominent attack vectors included DDoS campaigns primarily executed by hacktivist collectives such as NoName057(16), Al Ahad, and Dark Storm Team, alongside ransomware deployments attributed to Akira, INC RANSOM, and RHYSIDA.

Geographically, attacks were widespread but showed distinct clusters. Eastern European nations, particularly Ukraine, Poland, and Kosovo, faced numerous DDoS attacks, likely stemming from ongoing geopolitical conflicts and associated hacktivist motivations.¹ Hungary and Finland, both EU/NATO members, were also targeted by DDoS campaigns.⁵ The United States remained a primary target for ransomware operations, consistent with established trends.⁶

Targeted industries were diverse, reflecting the broad scope of both financially motivated cybercrime and politically driven hacktivism. Key sectors impacted included Financial Services, Insurance, Education, Government Administration, Airlines & Aviation, E-commerce & Online Stores, Manufacturing, Accounting, and Hospital & Health Care.

The following table provides a high-level summary of the incidents recorded during this period:

Table 1: Summary of Incidents (April 15, 2025)

Incident Date/Time (UTC)	Victim Organization	Victim Country	Victim Industry	Threat Actor	Attack Category	Brief Description/Claim
2025-04-15T13:30:48Z	Bank for Business (BPB)	Kosovo	Financial Services	Al Ahad	DDoS Attack	Targeted website bpbbank.com; proof of downtime provided.
2025-04-15T13:26:27Z	ProCredit Bank	Kosovo	Financial Services	Al Ahad	DDoS Attack	Targeted website procreditbank-kosovo.com; proof of downtime provided.
2025-04-15T13:16:49Z	Inductors Inc.	USA	Electrical & Electronic Manufacturing	akira	Ransomware	Claimed 6 GB data exfiltrated (NDAs, licenses, contracts, financials, insurance docs) from inductor.com.
2025-04-15T13:11:29Z	Peña Briones McDaniel & Co.	USA	Accounting	akira	Ransomware	Claimed 34 GB data exfiltrated (licenses, contracts, PII – passports, driver licenses, contacts, financials) from cpaelpaso.com.
2025-04-15T12:52:47Z	VIDI Insurance Company	Ukraine	Insurance	NoName057(16)	DDoS Attack	Targeted website insurance.vidi.ua; proof of downtime provided.
2025-04-15T12:48:59Z	VELES	Ukraine	Insurance	NoName057(16)	DDoS Attack	Targeted website skveles.kiev.ua; proof of downtime provided.
2025-04-15T12:44:06Z	ASKO DS Insurance Company	Ukraine	Insurance	NoName057(16)	DDoS Attack	Targeted website askods.com; proof of downtime provided.
2025-04-15T12:40:16Z	ASKA-Life Insurance Company	Ukraine	Insurance	NoName057(16)	DDoS Attack	Targeted website aska-life.com.ua; proof of downtime provided.
2025-04-15T11:02:43Z	Dnipro International Airport	Ukraine	Airlines & Aviation	Al Ahad	DDoS Attack	Targeted website dnk.aero; proof of downtime provided.
2025-04-15T11:00:50Z	Bank of Finland	Finland	Financial Services	Dark Storm Team	DDoS Attack	Targeted website suomenpankki.fi; proof of downtime provided.
2025-04-15T11:00:29Z	Kharkiv International Airport	Ukraine	Airlines & Aviation	Al Ahad	DDoS Attack	Targeted website hrk.aero; proof of downtime provided.
2025-04-15T10:58:10Z	Odesa International Airport	Ukraine	Airlines & Aviation	Al Ahad	DDoS Attack	Targeted website odessa.aero; proof of downtime provided.
2025-04-15T10:55:12Z	Kyiv Sikorsky International Airport	Ukraine	Airlines & Aviation	Al Ahad	DDoS Attack	Targeted website iev.aero; proof of downtime provided.
2025-04-15T10:47:45Z	eMAG Hungary	Hungary	E-commerce & Online Stores	Dark Storm Team	DDoS Attack	Targeted website emag.hu; proof of downtime provided.
2025-04-15T10:45:15Z	Leap n Learn Preschool	Canada	Education	Arab Ghosts Hackers	Defacement	Claimed defacement of website leapnlearn.ca.
2025-04-15T10:42:22Z	AFS Llc	Hungary	Oil & Gas	Dark Storm Team	DDoS Attack	Targeted website airportfuelsupply.com; proof of downtime provided.
2025-04-15T10:32:13Z	eMAG Magyarország	Hungary	E-commerce & Online Stores	Dark Storm Team	Ransomware	Targeted website emag.hu; proof of downtime provided (Note: Likely DDoS, see analysis).
2025-04-15T10:22:55Z	Prosecution Service of Hungary	Hungary	Government Administration	Dark Storm Team	DDoS Attack	Targeted website ugyeszseg.hu; proof of downtime provided.
2025-04-15T10:22:44Z	Orthopaedic Specialists of Connecticut	USA	Hospital & Health Care	INC RANSOM	Ransomware	Claimed data obtained from ctorthopaedic.com.
2025-04-15T10:18:51Z	Budapest Ferenc Liszt International Airport	Hungary	Airlines & Aviation	Dark Storm Team	DDoS Attack	Targeted website bud.hu; proof of downtime provided.
2025-04-15T10:14:02Z	Trocaire College	USA	Education	INC RANSOM	Ransomware	Claimed data obtained from trocaire.edu (Note: Location discrepancy, see analysis).
2025-04-15T09:50:19Z	Hungarian Ministry of Defence	Hungary	Government Administration	Dark Storm Team	DDoS Attack	Targeted website defence.hu; proof of downtime provided.
2025-04-15T09:28:43Z	National Informatics Centre (NIC)	India	Education (Gov IT Infrastructure)	Al Ahad	DDoS Attack	Targeted website upresults.nic.in; proof of downtime provided.
2025-04-15T09:23:06Z	WildFilm	Russia	Media Production	Team 1722	Data Breach	Claimed system hacked, contents wiped, infrastructure compromised at wildfilm.clan.su.
2025-04-15T09:19:21Z	Uttar Pradesh Madhyamik Shiksha Parishad	India	Education	Al Ahad	DDoS Attack	Targeted website upmsp.edu.in; proof of downtime provided.
2025-04-15T08:36:19Z	MPK Poznań	Poland	Transportation & Logistics	NoName057(16)	DDoS Attack	Targeted website mpk.poznan.pl; proof of downtime provided.
2025-04-15T08:31:01Z	PKS Polonus	Poland	Transportation & Logistics	NoName057(16)	DDoS Attack	Targeted website pkspolonus.pl; proof of downtime provided.
2025-04-15T08:07:52Z	City of Rzeszów	Poland	Financial Services (Gov/Municipal)	NoName057(16)	DDoS Attack	Targeted website erzeszow.pl; proof of downtime provided.
2025-04-15T07:59:52Z	Bank Pocztowy (Business Portal)	Poland	Financial Services	NoName057(16)	DDoS Attack	Targeted website biznes.pocztowy.pl; proof of downtime provided.
2025-04-15T07:56:18Z	Oregon Department of Environmental Quality	USA	Government Administration	RHYSIDA	Ransomware	Claimed data obtained from oregon.gov, threatened publication in 3-4 days.
2025-04-15T07:48:55Z	Bank Pocztowy (Online Banking)	Poland	Financial Services	NoName057(16)	DDoS Attack	Targeted website online.pocztowy.pl; proof of downtime provided.
2025-04-15T07:31:57Z	Wilderness Films India Ltd	India	Broadcast Media	Team 1722	Defacement	Claimed defacement of AVM Charity Foundation (Note: Victim discrepancy, see analysis) on wildfilmsindia.com.

Detailed Incident Analysis

This section provides detailed analysis of the incidents reported on April 15, 2025, grouped by the attributed threat actor for enhanced contextual understanding.

Threat Actor: Akira Ransomware

Active since at least March 2023 ⁹, Akira operates a Ransomware-as-a-Service (RaaS) model ⁶, primarily driven by financial motives.⁶ The group targets a wide range of businesses, with a focus on small-to-medium enterprises (SMEs) ⁶, though larger organizations have also been victims.¹⁰ Akira employs double extortion, exfiltrating sensitive data before encryption and threatening public release if ransom demands are unmet.⁶ Technical analysis indicates overlaps with the defunct Conti ransomware, suggesting potential reuse of code or involvement of former Conti affiliates.⁶ Initial access is often gained through compromised credentials for external services like VPNs (particularly exploiting known Cisco vulnerabilities such as CVE-2020-3259 and CVE-2023-20269, especially when Multi-Factor Authentication (MFA) is absent) ⁹ or Remote Desktop Protocol (RDP).¹¹ Post-access, Akira utilizes tools for lateral movement (e.g., pass-the-hash ¹⁰), credential dumping (targeting LSASS memory ¹⁴), defense evasion (disabling security software ¹⁰), and data exfiltration (using tools like Rclone or Mega ¹⁴). They deploy ransomware variants for both Windows and Linux environments, including targeting VMware ESXi virtual machines ⁶, and attempt to hinder recovery by deleting Volume Shadow Copies (VSS).¹⁵ Akira primarily targets organizations in North America, Europe, and Australia ¹¹, favoring sectors like manufacturing, critical infrastructure, finance, education, and healthcare.⁶

Incident: Inductors Inc. (USA, Electrical & Electronic Manufacturing)

Victim Details: Inductors Inc., USA, Electrical & Electronic Manufacturing, inductor.com
Incident Summary: Akira claimed responsibility for a ransomware attack reported on April 15, 2025 (13:16:49Z) via their Tor leak site. The group alleges the exfiltration of 6 GB of sensitive corporate data, including Non-Disclosure Agreements (NDAs), licenses, agreements, contracts, financial audits, payment details, reports, and insurance documents.
Threat Actor Context: This attack aligns with Akira’s documented preference for targeting the manufacturing sector.⁶ Ransomware groups frequently target manufacturing due to the potential for significant disruption caused by downtime and the value of proprietary data.¹⁹ The detailed list of allegedly stolen data underscores Akira’s double extortion strategy, leveraging the threat of exposing confidential business information to pressure victims into payment.⁹
Supporting Evidence:

Published URL: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/707a8e66-59dc-4802-90ed-759db5b42fb9.png
Incident: Peña Briones McDaniel & Co. (USA, Accounting)

Victim Details: Peña Briones McDaniel & Co., USA, Accounting, cpaelpaso.com
Incident Summary: A ransomware attack attributed to Akira was announced on April 15, 2025 (13:11:29Z) via their Tor leak site. The group claims to have exfiltrated a substantial 34 GB of data. The compromised information allegedly includes highly sensitive personal data (marriage licenses, passport scans, driver licenses, contact numbers, email addresses of employees and customers) alongside corporate documents (licenses, agreements, contracts) and financial data (audits, payment details, reports).
Threat Actor Context: Targeting an accounting firm fits Akira’s pattern of attacking sectors that handle large volumes of sensitive financial and personal information.⁶ The exfiltration of such diverse and sensitive Personally Identifiable Information (PII) alongside corporate financial data significantly increases the potential impact beyond operational disruption and financial loss. It introduces severe privacy risks for individuals whose data was compromised, potentially leading to identity theft or blackmail, and poses significant reputational and regulatory challenges for the victim organization.²⁰ This maximizes the leverage available to Akira in their double extortion scheme.⁹
Supporting Evidence:

Published URL: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/780f7e0d-0be0-4667-ac2e-08d7da4068cc.png

Threat Actor: NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective operational since March 2022.¹ Their primary motivation is geopolitical, focusing on supporting Russia by launching cyberattacks against Ukraine and nations perceived as critical of the Russian invasion, particularly NATO member states.¹ The group operates transparently, utilizing Telegram channels to announce targets, claim attacks, mock victims, and disseminate pro-Russian narratives.¹ Their main tactic is conducting DDoS attacks ¹, facilitated by their custom tool “DDoSia”.²¹ A distinctive feature is their “Project DDoSia,” which crowdsources attack capabilities by incentivizing volunteers with cryptocurrency payments to run the DDoS client, effectively outsourcing their botnet infrastructure.²³ Attacks typically involve HTTPS application-layer floods.²³ Their target scope includes government entities, financial institutions, transportation hubs, media organizations, and critical infrastructure in countries like Ukraine, Poland, Lithuania, Denmark, Czech Republic, Italy, Canada, Austria, and Switzerland.¹

Incident: VIDI Insurance Company (Ukraine, Insurance)

Victim Details: VIDI Insurance Company, Ukraine, Insurance, insurance.vidi.ua
Incident Summary: NoName057(16) claimed a DDoS attack against the company’s website on April 15, 2025 (12:52:47Z), providing proof of downtime via a check-host.net link. The claim was made on their Telegram channel.
Threat Actor Context: This attack is part of a clear pattern observed on this date, where NoName057(16) systematically targeted multiple entities within Ukraine’s insurance sector. Such focused campaigns against specific industries within an adversarial nation aim to maximize disruption to economic activity and potentially erode public confidence, aligning with their stated pro-Russian, anti-Ukraine objectives.²
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff6b92kc09
Published URL: https://t.me/nnm05716rus/567
Screenshots: https://d34iuop8pidsy8.cloudfront.net/58862189-3dd6-4bb3-af32-20d838feac55.png
Incident: VELES (Ukraine, Insurance)

Victim Details: VELES, Ukraine, Insurance, skveles.kiev.ua
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (12:48:59Z), with downtime proof provided via check-host.net and announcement on Telegram.
Threat Actor Context: This incident further reinforces the coordinated nature of the attack wave against the Ukrainian insurance sector by NoName057(16), demonstrating a planned effort rather than isolated attacks.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff6acdk8ee
Published URL: https://t.me/nnm05716rus/567
Screenshots: https://d34iuop8pidsy8.cloudfront.net/3cb5090f-a0b6-4e14-9837-aa861003eb54.png
Incident: ASKO DS Insurance Company (Ukraine, Insurance)

Victim Details: ASKO DS Insurance Company, Ukraine, Insurance, askods.com
Incident Summary: NoName057(16) claimed a DDoS attack on April 15, 2025 (12:44:06Z), providing downtime proof and announcing via Telegram.
Threat Actor Context: Continues the observed pattern of targeting Ukrainian insurance companies in rapid succession.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff6a79kf1f
Published URL: https://t.me/nnm05716rus/567
Screenshots: https://d34iuop8pidsy8.cloudfront.net/e4c8bf70-5a80-42e6-b744-8410ca5fc7ee.png
Incident: ASKA-Life Insurance Company (Ukraine, Insurance)

Victim Details: ASKA-Life Insurance Company, Ukraine, Insurance, aska-life.com.ua
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (12:40:16Z), with downtime proof and Telegram announcement.
Threat Actor Context: The fourth consecutive attack against a Ukrainian insurance entity within approximately one hour, strongly indicating a focused, coordinated campaign by NoName057(16).
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff6a1bk318
Published URL: https://t.me/nnm05716rus/567
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ce677b64-3932-46fe-a8d3-dc7435d39837.png
Incident: MPK Poznań (Poland, Transportation & Logistics)

Victim Details: MPK Poznań (Municipal Transport Company in Poznań), Poland, Transportation & Logistics, mpk.poznan.pl
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (08:36:19Z), with downtime proof and Telegram announcement.
Threat Actor Context: Poland is a frequent target for NoName057(16) due to its status as a NATO member and its significant support for Ukraine.² Targeting public transportation systems aligns with the group’s strategy of disrupting critical infrastructure and services to impact daily life and signal capability against nations opposing Russian interests.¹ This attack is part of a series targeting Polish entities on this day.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fdb968k581
Published URL: https://t.me/nnm05716rus/553
Screenshots: https://d34iuop8pidsy8.cloudfront.net/8277f129-9959-4bda-a5c0-30bb947a5142.png, https://d34iuop8pidsy8.cloudfront.net/69bd8030-be84-4f2f-a734-65aeeb3a85ac.png
Incident: PKS Polonus (Poland, Transportation & Logistics)

Victim Details: PKS Polonus (Bus transport company), Poland, Transportation & Logistics, pkspolonus.pl
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (08:31:01Z), with downtime proof and Telegram announcement.
Threat Actor Context: Another attack targeting Poland’s transportation sector, occurring shortly before the attack on MPK Poznań, reinforcing the focus on disrupting Polish infrastructure as part of a sustained campaign.²
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fdb800kd17
Published URL: https://t.me/nnm05716rus/553
Screenshots: https://d34iuop8pidsy8.cloudfront.net/da91b6f7-7e5a-41d8-80c6-2f9f05e148f7.png, https://d34iuop8pidsy8.cloudfront.net/482e1ed9-b2a4-4993-bcbc-ceae8bcec31f.png
Incident: City of Rzeszów (Poland, Government/Municipal)

Victim Details: City of Rzeszów, Poland, (Industry Correction: Government/Municipal), erzeszow.pl
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (08:07:52Z), with downtime proof and Telegram announcement.
Threat Actor Context: Targeting municipal government websites is consistent with NoName057(16)’s attacks on government entities in adversarial nations.¹ The choice of Rzeszów may hold symbolic significance due to its geographical proximity to Ukraine and its crucial role as a logistical hub for international aid flowing into Ukraine. Attacking this specific city serves as a direct message against entities facilitating support for Ukraine, aligning with the group’s anti-Ukraine motivation.²
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fdb7d0k493
Published URL: https://t.me/nnm05716rus/553
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ecef8d6d-a727-406d-9db5-17325f840d4d.png, https://d34iuop8pidsy8.cloudfront.net/29efc31d-6849-4a78-a674-52c647c872f0.png
Incident: Bank Pocztowy (Business Portal) (Poland, Financial Services)

Victim Details: Bank Pocztowy, Poland, Financial Services, biznes.pocztowy.pl
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (07:59:52Z), targeting the bank’s business portal. Downtime proof and Telegram announcement provided.
Threat Actor Context: The financial sector is a known target category for NoName057(16).¹ Bank Pocztowy’s connection to the Polish postal service potentially marks it as state-related infrastructure in the eyes of the attackers. Targeting both the business and online banking portals (see next incident) indicates an intent to cause widespread disruption to the bank’s services and customer access within a targeted country.¹
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fdb73fk2dc
Published URL: https://t.me/nnm05716rus/553
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ca6bd572-9fcc-4089-971b-edb6b918b546.png, https://d34iuop8pidsy8.cloudfront.net/8bbcbd9b-315e-4cbb-85f2-c00d3f5e7795.png
Incident: Bank Pocztowy (Online Banking) (Poland, Financial Services)

Victim Details: Bank Pocztowy, Poland, Financial Services, online.pocztowy.pl
Incident Summary: DDoS attack claimed by NoName057(16) on April 15, 2025 (07:48:55Z), targeting the bank’s online banking portal. Downtime proof and Telegram announcement provided.
Threat Actor Context: Part of the focused assault on Bank Pocztowy, demonstrating a tactical approach to maximize disruption against a specific financial institution in Poland.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fdb6fckd41
Published URL: https://t.me/nnm05716rus/553
Screenshots: https://d34iuop8pidsy8.cloudfront.net/fdba08f2-da8c-44cb-8764-7a383fc9fb0f.png, https://d34iuop8pidsy8.cloudfront.net/8f505cc1-ae3c-40e1-92f1-fe9f47fbb310.png

Threat Actor: Al Ahad

Al Ahad is identified as an Islamist-oriented hacktivist group.²⁸ Evidence suggests potential involvement in broader hacktivist coalitions, such as the “Holy League,” which reportedly unites pro-Russian and pro-Palestinian factions to target shared adversaries.³ Their motivations are tied to geopolitical and religious conflicts, often expressing pro-Palestinian sentiments and opposition to Western nations, Israel, India, and countries supporting Ukraine.³ Like many hacktivist groups, they utilize Telegram for communication but have reportedly considered migrating to platforms like Signal for enhanced privacy.²⁸ Their primary reported tactic is DDoS attacks ³, although associated alliances may also employ defacement and data leaks.³ Their target scope appears broad, reflecting potential alliance objectives, encompassing Western-aligned nations (Kosovo), nations involved in the Russia-Ukraine conflict (Ukraine), and other designated adversaries like India.³

Incident: Bank for Business (BPB) (Kosovo, Financial Services)

Victim Details: Bank for Business (BPB), Kosovo, Financial Services, bpbbank.com
Incident Summary: Al Ahad claimed a DDoS attack against the bank’s website on April 15, 2025 (13:30:48Z), providing downtime proof via check-host.net and announcing on Telegram.
Threat Actor Context: The targeting of financial institutions in Kosovo, followed by attacks on Ukrainian and Indian entities on the same day, suggests a broad operational scope possibly influenced by Al Ahad’s participation in hacktivist alliances like the Holy League.³ This coalition framework allows groups with different primary ideologies (e.g., Islamist, pro-Russian) to pool resources and attack a wider range of targets designated as common enemies (Western-aligned nations, Ukraine supporters, India).³
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff97d5k845
Published URL: https://t.me/qayzerowns/86
Screenshots: https://d34iuop8pidsy8.cloudfront.net/3a2089ff-efbb-46d8-8ec3-32477360260c.png
Incident: ProCredit Bank (Kosovo, Financial Services)

Victim Details: ProCredit Bank, Kosovo, Financial Services, procreditbank-kosovo.com
Incident Summary: DDoS attack claimed by Al Ahad on April 15, 2025 (13:26:27Z), with downtime proof and Telegram announcement.
Threat Actor Context: Further evidence of the targeting of Kosovo’s financial sector, likely driven by geopolitical motivations related to Kosovo’s perceived alignment or as part of a broader campaign orchestrated by an allied hacktivist network.³
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24ff8ef3kcc
Published URL: https://t.me/qayzerowns/86
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1f6a181a-4193-44c8-830d-4c6e8d5e4ac2.png
Incident: Dnipro International Airport (Ukraine, Airlines & Aviation)

Victim Details: Dnipro International Airport, Ukraine, Airlines & Aviation, dnk.aero
Incident Summary: Al Ahad claimed a DDoS attack on April 15, 2025 (11:02:43Z), providing downtime proof and announcing via Telegram.
Threat Actor Context: This attack is part of a rapid succession of DDoS attacks against four major Ukrainian airports (Dnipro, Kharkiv, Odesa, Kyiv Sikorsky) attributed to Al Ahad within approximately 10 minutes. This strongly suggests a coordinated campaign aimed at disrupting critical transportation infrastructure in Ukraine. Such actions align with the anti-Ukraine objectives of pro-Russian groups, with whom Al Ahad may be allied within coalitions like the Holy League.³
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24feb4c6k101
Published URL: https://t.me/qayzerowns/85
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0e2170c6-636f-4367-bd0e-5f7962ef5253.png
Incident: Kharkiv International Airport (Ukraine, Airlines & Aviation)

Victim Details: Kharkiv International Airport, Ukraine, Airlines & Aviation, hrk.aero
Incident Summary: DDoS attack claimed by Al Ahad on April 15, 2025 (11:00:29Z), with downtime proof and Telegram announcement.
Threat Actor Context: Part of the coordinated assault on Ukrainian airport infrastructure.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24feb3eakeba
Published URL: https://t.me/qayzerowns/85
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1aa7a187-4ec8-43d2-9e7f-0b023af4884d.png
Incident: Odesa International Airport (Ukraine, Airlines & Aviation)

Victim Details: Odesa International Airport, Ukraine, Airlines & Aviation, odessa.aero
Incident Summary: DDoS attack claimed by Al Ahad on April 15, 2025 (10:58:10Z), with downtime proof and Telegram announcement.
Threat Actor Context: Part of the coordinated assault on Ukrainian airport infrastructure.
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24feb302ke43
Published URL: https://t.me/qayzerowns/85
Screenshots: https://d34iuop8pidsy8.cloudfront.net/254da007-8a61-4929-9a5d-fee1cecd689c.png
Incident: Kyiv Sikorsky International Airport (Ukraine, Airlines & Aviation)

Victim Details: Kyiv Sikorsky International Airport, Ukraine, Airlines & Aviation, iev.aero
Incident Summary: DDoS attack claimed by Al Ahad on April 15, 2025 (10:55:12Z), with downtime proof and Telegram announcement.
Threat Actor Context: The fourth airport targeted in quick succession, solidifying the assessment of a coordinated campaign against Ukrainian critical infrastructure by Al Ahad, likely reflecting alliance goals.³
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24feae1ek119
Published URL: https://t.me/qayzerowns/85
Screenshots: https://d34iuop8pidsy8.cloudfront.net/739728c1-74fc-4d1b-8557-28d493a56298.png
Incident: National Informatics Centre (NIC) (India, Government IT Infrastructure)

Victim Details: National Informatics Centre (NIC) – Uttar Pradesh Results Portal, India, (Industry Correction: Government IT Infrastructure), upresults.nic.in
Incident Summary: Al Ahad claimed a DDoS attack on April 15, 2025 (09:28:43Z), targeting a specific results portal hosted by NIC. Downtime proof and Telegram announcement provided.
Threat Actor Context: India is an explicitly named target category for the Holy League alliance, potentially involving Al Ahad.³ Targeting highly visible government portals, such as educational results websites (NIC results, UPMSP – see next incident), during peak interest periods can cause significant public disruption and attract media attention. This tactic aligns with hacktivist goals of maximizing impact and visibility within a targeted nation.²⁷
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe4660k628
Published URL: https://t.me/qayzerowns/84
Screenshots: https://d34iuop8pidsy8.cloudfront.net/8b93a3a3-ee4a-47f9-8d5b-1678ab2532d2.png
Incident: Uttar Pradesh Madhyamik Shiksha Parishad (UPMSP) (India, Education)

Victim Details: Uttar Pradesh Madhyamik Shiksha Parishad (UPMSP – State Board of High School and Intermediate Education), India, Education, upmsp.edu.in
Incident Summary: DDoS attack claimed by Al Ahad on April 15, 2025 (09:19:21Z), with downtime proof and Telegram announcement.
Threat Actor Context: Part of the focused attack wave against Indian educational and government portals, likely chosen for high visibility and disruptive potential, consistent with targeting India as per alliance objectives.³
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe3972k7b3
Published URL: https://t.me/qayzerowns/84
Screenshots: https://d34iuop8pidsy8.cloudfront.net/27e0d8fd-a1cc-4ffa-8653-cec07f7bb0f5.png

Threat Actor: Dark Storm Team

Dark Storm Team emerged around September 2023 ⁵ and presents a complex profile. While primarily known as a pro-Palestinian hacktivist group conducting DDoS attacks ⁵, they also exhibit clear financial motivations, offering DDoS-for-hire services and selling compromised data.⁵ This blend of ideology and commercial interest complicates straightforward attribution and motivation analysis.³¹ Unconfirmed links to Russia have been suggested ⁵, and the group is known to collaborate with diverse actors, including pro-Russian (Killnet) and other Islamist-oriented groups.⁵ They specialize in DDoS attacks ³¹, employing large botnets (potentially involving IoT devices or vulnerable routers ³¹) and obfuscation techniques like proxies/VPNs.³¹ A signature tactic is providing “proof links” using third-party checker services (e.g., check-host.net) to validate their attack success.³¹ Their targets typically include Western organizations, critical infrastructure, and entities perceived as supporting Israel or opposing Palestinian interests, spanning the U.S., Israel, Ukraine, UAE, and NATO countries.⁵

Incident: Bank of Finland (Finland, Financial Services)

Victim Details: Bank of Finland, Finland, Financial Services, suomenpankki.fi
Incident Summary: Dark Storm Team claimed a DDoS attack against the central bank’s website on April 15, 2025 (11:00:50Z), providing downtime proof via check-host.net and announcing on Telegram.
Threat Actor Context: The attacks observed today against entities in Finland (NATO member) and Hungary (EU/NATO member) align with Dark Storm Team’s established anti-Western/anti-NATO targeting profile.⁵ The selection of diverse targets across these countries—including a central bank, major e-commerce site, government ministries, an airport, and an energy-related company—demonstrates a broad disruptive intent aimed at critical and commercial sectors, consistent with both geopolitical motivations and potentially their DDoS-for-hire operations.⁵
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fef8e5k8ca
Published URL: https://t.me/DarkStormTeam3/281
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b212c33b-70cb-4848-b852-f164fce2ee07.png
Incident: eMAG Hungary / eMAG Magyarország (Hungary, E-commerce & Online Stores)

Victim Details: eMAG Hungary / eMAG Magyarország, Hungary, E-commerce & Online Stores, emag.hu
Incident Summary: Two claims were made against this target by Dark Storm Team on April 15, 2025. The first (10:47:45Z) is categorized as a DDoS attack. The second (10:32:13Z) is categorized as Ransomware, but the provided content is a check-host.net link, typically used by this group to prove DDoS impact. Both claims reference the same proof link and Telegram post. It is highly probable that both entries refer to DDoS activity, with the “Ransomware” categorization being an error in the source data feed.
Threat Actor Context: Targeting a major online retailer like eMAG aims to disrupt commercial activity. The likely miscategorization of one claim highlights the importance of verifying intelligence data against known actor TTPs and provided evidence. Dark Storm Team’s primary modus operandi is DDoS, and their use of check-host links strongly corroborates this.³¹
Supporting Evidence (10:47 Entry – DDoS):

Proof of downtime: https://check-host.net/check-report/24fe727ek13b
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/28b5968d-f1d1-480f-bc20-28466d230841.png
Supporting Evidence (10:32 Entry – Likely DDoS):

Proof of downtime: https://check-host.net/check-report/24fe727ek13b
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a20cfcde-6019-41c0-a26a-754fa89ead4a.jpg
Incident: AFS Llc (Hungary, Oil & Gas)

Victim Details: AFS Llc (Airport Fuel Supply), Hungary, Oil & Gas, airportfuelsupply.com
Incident Summary: DDoS attack claimed by Dark Storm Team on April 15, 2025 (10:42:22Z), with downtime proof and Telegram announcement.
Threat Actor Context: Targeting an entity involved in airport fuel supply touches upon critical energy and transportation infrastructure, aligning with the group’s disruptive goals against targeted nations.⁵
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe7070kb3f
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/c755113c-7967-453b-9623-9d2c7f7921b4.png
Incident: Prosecution Service of Hungary (Hungary, Government Administration)

Victim Details: Prosecution Service of Hungary, Hungary, Government Administration, ugyeszseg.hu
Incident Summary: DDoS attack claimed by Dark Storm Team on April 15, 2025 (10:22:55Z), with downtime proof and Telegram announcement.
Threat Actor Context: Attacking a national prosecution service represents a direct assault on a state’s judicial functions, consistent with targeting government institutions.⁵
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe6afbk587
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a1775aae-c993-4407-833c-a1c69b6a62f7.png
Incident: Budapest Ferenc Liszt International Airport (Hungary, Airlines & Aviation)

Victim Details: Budapest Ferenc Liszt International Airport, Hungary, Airlines & Aviation, bud.hu
Incident Summary: DDoS attack claimed by Dark Storm Team on April 15, 2025 (10:18:51Z), with downtime proof and Telegram announcement.
Threat Actor Context: Targeting major international airports is a common tactic for hacktivist groups seeking high-impact disruption and visibility.⁵
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe6643ka6f
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/3abda5d6-a54a-40bd-a05b-4b1cfec20209.png
Incident: Hungarian Ministry of Defence (Hungary, Government Administration)

Victim Details: Hungarian Ministry of Defence, Hungary, Government Administration, defence.hu
Incident Summary: DDoS attack claimed by Dark Storm Team on April 15, 2025 (09:50:19Z), with downtime proof and Telegram announcement.
Threat Actor Context: A direct attack against a nation’s Ministry of Defence is a significant escalation, targeting a core security apparatus and demonstrating intent to challenge state capabilities.⁵
Supporting Evidence:

Proof of downtime: https://check-host.net/check-report/24fe622bk377
Published URL: https://t.me/DarkStormTeam3/279
Screenshots: https://d34iuop8pidsy8.cloudfront.net/fd343888-bfd0-47a4-904b-2ed13afbf28d.png

Threat Actor: INC RANSOM

INC RANSOM emerged in July 2023 ³⁸ as a multi-extortion ransomware operation. Primarily financially motivated, the group targets critical systems to maximize pressure for ransom payments, despite sometimes framing their actions as a security service.³⁸ They exfiltrate data before encryption and threaten leaks via their Tor-based blog.³⁸ Potential code overlaps or source code sales link INC RANSOM to the later Lynx ransomware variant.⁷ Their TTPs involve initial access through methods like spear-phishing or exploiting vulnerabilities (e.g., Citrix CVE-2023-3519 ³⁹, Fortinet CVE-2023-48788 ³⁸). They utilize common tools for post-exploitation, including network scanners (netscan.exe ³⁸), cloud synchronization tools for data exfiltration (MEGAsync ³⁸), Remote Monitoring and Management (RMM) software (AnyDesk ³⁸), and legitimate Windows utilities. Lateral movement often involves techniques like pass-the-hash, aiming to compromise high-privilege accounts like Domain Admins.³⁸ They attempt to delete Volume Shadow Copies (VSS) to impede recovery.³⁸ INC RANSOM targets a broad range of industries, including healthcare, education, government, retail, and finance, primarily in the US and UK.⁷

Incident: Orthopaedic Specialists of Connecticut (USA, Hospital & Health Care)

Victim Details: Orthopaedic Specialists of Connecticut, USA, Hospital & Health Care, ctorthopaedic.com
Incident Summary: INC RANSOM claimed a ransomware attack on April 15, 2025 (10:22:44Z), stating they obtained the organization’s data. The announcement was made via their Tor blog.
Threat Actor Context: The targeting of healthcare and educational institutions (see next incident) is characteristic of INC RANSOM.³⁸ These sectors are often perceived as having less robust cybersecurity measures or face greater pressure to restore services quickly due to the critical nature of their operations and data, making them attractive targets for financially motivated ransomware groups.¹⁹ INC RANSOM’s documented use of legitimate tools like AnyDesk (RMM) and MEGAsync (cloud storage) for intrusion and exfiltration highlights the challenge of detecting malicious activity that blends with normal administrative tasks.¹⁹
Supporting Evidence:

Published URL: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/67ee8d1d516e69ca611ee27d
Screenshots: https://d34iuop8pidsy8.cloudfront.net/55fcc707-918b-4ac1-a9ab-e6108ab0fff8.png, https://d34iuop8pidsy8.cloudfront.net/cd0daf63-fabd-4be0-b62d-a5eb8cdbbe4a.png
Incident: Trocaire College (USA, Education)

Victim Details: Trocaire College, USA, Education, trocaire.edu (Analyst Note: The JSON data specifies “Trocaire College of Connecticut,” but the domain trocaire.edu belongs to an institution in New York. This may indicate an error in the location detail provided in the source feed or refer to a specific program/partnership.)
Incident Summary: Ransomware attack claimed by INC RANSOM on April 15, 2025 (10:14:02Z), alleging data acquisition. Announced via Tor blog.
Threat Actor Context: Targeting the education sector aligns with INC RANSOM’s known victimology.³⁸ Educational institutions, particularly smaller colleges or K-12 schools, can be appealing targets due to potentially limited cybersecurity resources and the sensitive nature of student and staff data.⁴¹
Supporting Evidence:

Published URL: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/67f7e797516e69ca6185364d
Screenshots: https://d34iuop8pidsy8.cloudfront.net/c244e8f7-0a28-49ac-84b4-80f5a96a110b.png

Threat Actor: RHYSIDA Ransomware

RHYSIDA emerged in May 2023 ⁸ and operates as a Ransomware-as-a-Service (RaaS) group.⁴² Their primary motivation is financial gain.⁸ A distinctive characteristic is their self-portrayal as a “cybersecurity team” offering assistance to victims, likely a social engineering tactic.⁸ They employ double extortion methods.⁸ Initial access vectors include phishing ⁸ and exploitation of external remote services like VPNs, often leveraging compromised credentials where MFA is lacking.¹³ Post-compromise, they utilize frameworks like Cobalt Strike for C2 and lateral movement ⁸, and tools like PsExec for deploying payloads.⁸ Defense evasion involves PowerShell scripts (e.g., SILENTKILL) to terminate security processes and delete shadow copies.⁸ They leverage living-off-the-land techniques (RDP, PowerShell, PuTTY/SSH).⁴³ Encryption uses a 4096-bit RSA key with AES-CTR, implemented via the LibTomCrypt library ⁴⁵, appending the .rhysida extension. They target opportunistically across sectors like education, healthcare, manufacturing, IT, and government, primarily in Europe, North America, and the Middle East.⁸

Incident: Oregon Department of Environmental Quality (USA, Government Administration)

Victim Details: Oregon Department of Environmental Quality, USA, Government Administration, oregon.gov
Incident Summary: RHYSIDA claimed a ransomware attack on April 15, 2025 (07:56:18Z), stating data was obtained and would be published within 3-4 days if demands were not met. Announced via Tor network.
Threat Actor Context: This attack on a US state government agency is consistent with RHYSIDA’s documented targeting of the government sector.⁸ The explicit short deadline (3-4 days) mentioned in the claim serves as a significant pressure tactic, aiming to compel a rapid payment decision before the threatened data leak occurs, a standard component of the double extortion model. The group’s unique “cybersecurity team” persona represents a notable social engineering element possibly employed during victim interaction.⁸
Supporting Evidence:

Published URL: http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/7c0d46cd-62f2-4d5d-b2c2-f6c8ffcc3ce5.png

Threat Actor: Team 1722

Specific intelligence regarding the origins, affiliations, and full capabilities of “Team 1722” was not available in the analyzed sources.⁹ Based on the observed activities—targeting entities in Russia and India, and employing tactics like data wiping and website defacement—Team 1722 likely operates as a hacktivist group. Their motivations remain unclear but could be political, ideological, or purely disruptive. Their use of Telegram for disseminating claims aligns with common hacktivist practices.¹

Incident: WildFilm (Russia, Media Production)

Victim Details: WildFilm, Russia, Media Production, wildfilm.clan.su
Incident Summary: Team 1722 claimed responsibility for a data breach and system wipe against WildFilm on April 15, 2025 (09:23:06Z). The group asserted they hacked the system, wiped its contents, and compromised the entire infrastructure. The claim was made via Telegram.
Threat Actor Context: The claim of infrastructure wiping, rather than just data theft or encryption for ransom, suggests a destructive intent. Such tactics are often associated with state-sponsored operations or highly motivated hacktivist groups aiming to cause maximum damage and disruption, rather than financial gain.⁴⁸ The lack of detailed information on Team 1722 underscores the challenge of tracking the multitude of emerging or ephemeral hacktivist entities.
Supporting Evidence:

Published URL: https://t.me/x1722x/2482
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1f637ae5-9236-4a0b-a964-36bdcf227aed.png
Incident: Wilderness Films India Ltd (India, Broadcast Media)

Victim Details: Wilderness Films India Ltd, India, Broadcast Media, wildfilmsindia.com (Analyst Note: The incident content claims defacement of “AVM Charity Foundation,” while the title names Wilderness Films India Ltd. This discrepancy may stem from errors in the source feed or the actor’s own reporting.)
Incident Summary: Team 1722 claimed a website defacement attack on April 15, 2025 (07:31:57Z). The announcement was made via Telegram.
Threat Actor Context: Website defacement is a common, relatively low-sophistication tactic employed by hacktivists for visibility and messaging.³ The targeting of an Indian entity is consistent with the group’s other observed activity. The noted discrepancy in the victim’s name highlights the potential for inaccuracies in raw threat intelligence feeds and the need for verification.
Supporting Evidence:

Published URL: https://t.me/x1722x/2482
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2e7df3a0-4c4d-487b-bc46-fe32e3dd5e1c.png

Threat Actor: Arab Ghosts Hackers

Detailed intelligence on “Arab Ghosts Hackers” was not present in the reviewed sources.⁹ The group’s name suggests an affiliation with the Arab region and likely hacktivist motivations, potentially linked to regional geopolitical issues or anti-Western sentiment.³⁶ Website defacement, the observed tactic, is a common method used by hacktivist groups.³

Incident: Leap n Learn Preschool (Canada, Education)

Victim Details: Leap n Learn Preschool, Canada, Education, leapnlearn.ca
Incident Summary: Arab Ghosts Hackers claimed to have defaced the preschool’s website on April 15, 2025 (10:45:15Z). The claim was announced via a Telegram link, potentially indicating a private channel.
Threat Actor Context: The targeting of a Canadian preschool is unusual for geopolitically motivated hacktivism and appears anomalous. Possible explanations include opportunistic targeting of a vulnerable website regardless of strategic value, a symbolic act against a Western nation, activity by a low-skill actor choosing an easy target, or potential misattribution. Without further intelligence on the group’s specific agenda and capabilities, the precise motivation behind this attack remains unclear, illustrating the sometimes unpredictable nature of hacktivist target selection.
Supporting Evidence:

Published URL: https://t.me/c/2518408007/15
Screenshots: https://d34iuop8pidsy8.cloudfront.net/74ddfd77-776a-4d29-8d24-a662bd36b00c.png

Emerging Trends & Observations

Analysis of the incidents reported on April 15, 2025, reveals several key trends and observations:

Prevalence of Geopolitically Motivated DDoS: A substantial volume of the day’s activity consisted of DDoS attacks conducted by hacktivist groups (NoName057(16), Al Ahad, Dark Storm Team). These attacks explicitly targeted nations involved in or associated with the Russia-Ukraine conflict (Ukraine, Poland, Finland, Hungary) and other regions experiencing geopolitical friction (Kosovo, India). This reflects the established trend of hacktivism being employed as a disruptive tool in international disputes.² The coordinated nature of several attack waves—such as NoName057(16)’s targeting of multiple Ukrainian insurance firms and Polish entities in quick succession, and Al Ahad’s simultaneous strikes on Ukrainian airports and Indian government portals—suggests planned campaigns rather than random, isolated actions. This level of coordination points towards organized efforts, potentially involving established structures, crowdsourced platforms like Project DDoSia ²³, or alliances like the Holy League.³
Persistent Ransomware Operations: Financially motivated ransomware remains a significant threat, with groups like Akira, INC RANSOM, and RHYSIDA actively targeting diverse sectors (Manufacturing, Accounting, Healthcare, Education, Government) primarily within the United States.⁶ All observed ransomware actors employed double extortion tactics, combining data encryption with the threat of data leakage to maximize pressure on victims.⁸ These incidents underscore the continued reliance of ransomware actors on exploiting known vulnerabilities (e.g., VPN flaws cited for Akira ¹¹; Fortinet/Citrix flaws for INC RANSOM ³⁸) and abusing legitimate administrative tools (RMMs, cloud storage, PowerShell, PsExec).⁸ This highlights persistent challenges for organizations in maintaining adequate patch management, enforcing MFA, and detecting the malicious use of trusted software, emphasizing the critical need for robust security hygiene and advanced endpoint/network monitoring capabilities.¹⁰
Complex Hacktivist Motivations: The cyber landscape features actors with multifaceted motivations. Groups like Dark Storm Team demonstrate a blend of ideological drivers (pro-Palestinian) and commercial activities (DDoS-for-hire).⁵ Furthermore, alliances such as the reported Holy League potentially merge actors with different primary motivations (e.g., pro-Russian and pro-Palestinian) to pursue common targets.³ This complexity challenges traditional threat modeling based on singular motivations, requiring defenders to consider a broader range of potential triggers and attack vectors when assessing risks posed by hacktivist entities.
Intelligence Challenges and Data Quality: The absence of detailed information on groups like Team 1722 and Arab Ghosts Hackers within the analyzed sources, coupled with observed inconsistencies in the source data (e.g., victim location/name discrepancies, potential attack type miscategorization), underscores the inherent challenges in real-time threat intelligence. It highlights the dynamic nature of the threat landscape, the difficulty in tracking numerous, potentially short-lived groups, and the critical need for analysts to rigorously verify and contextualize raw intelligence feeds before drawing firm conclusions.

Mitigation Considerations

Based on the observed threats and TTPs, organizations should consider the following mitigation strategies:

Against DDoS Attacks:

Deploy multi-layered DDoS mitigation solutions, incorporating both cloud-based scrubbing services and potentially on-premise detection/mitigation appliances capable of handling volumetric and application-layer attacks.³
Configure network infrastructure (firewalls, routers) with appropriate filtering rules and rate limiting.
Utilize Content Delivery Networks (CDNs) to distribute traffic load and absorb attack volume.
Develop and regularly test a DDoS-specific incident response plan.¹
Against Ransomware:

Prevent Initial Access: Maintain aggressive patch management for all systems, prioritizing internet-facing devices and software with known vulnerabilities, particularly VPNs, RDP services, and web servers (e.g., Cisco, Fortinet, Citrix vulnerabilities exploited by actors in this report).¹¹ Enforce strong, unique passwords and mandate phishing-resistant Multi-Factor Authentication (MFA) for all remote access, privileged accounts, and critical applications.¹⁰ Deploy robust email security solutions to detect and block phishing attempts.⁸
Limit Lateral Movement & Execution: Implement network segmentation to contain breaches and limit lateral movement.⁴¹ Strictly control and monitor the use of administrative tools (PowerShell, PsExec), RMM software (AnyDesk), and file-sharing/synchronization tools (MEGA), potentially using application control or allow-listing.⁸ Utilize advanced Endpoint Detection and Response (EDR) solutions with behavioral detection capabilities to identify anomalous activity, credential dumping attempts (LSASS access), and ransomware execution patterns.¹¹
Mitigate Impact: Implement a comprehensive backup strategy with regular, tested, and offline/immutable backups.³⁹ Ensure Volume Shadow Copies (VSS) are protected against deletion where possible, recognizing that sophisticated actors attempt to bypass this.⁸ Maintain and regularly exercise a detailed ransomware incident response plan.¹
Against Web Compromise (Defacement/Data Breach):

Perform regular vulnerability scanning and penetration testing of web applications.
Deploy and properly configure Web Application Firewalls (WAFs).³
Implement strong access controls and authentication for Content Management Systems (CMS) and administrative interfaces.
Utilize file integrity monitoring to detect unauthorized changes to web content.
General Security Hygiene:

Conduct ongoing security awareness training for all employees, emphasizing the identification of phishing emails, malicious links/attachments, and social engineering tactics.³⁹
Maintain accurate inventories of all hardware and software assets.³⁸
Implement least privilege principles for user accounts and system permissions.

Works cited

Threat Intelligence NoName057(16) Threat Actor Profile – Quorum Cyber, accessed April 15, 2025, https://www.quorumcyber.com/wp-content/uploads/2024/04/TI-NoName057-Threat-Actor-Profile-1.pdf
NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne, accessed April 15, 2025, https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
December 16, 2024 Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 15, 2025, https://www.radware.com/getattachment/2a2da1ff-d41e-468a-a263-3b48851ca629/Advisory-Holy-League-Dec-2024.pdf.aspx
Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 15, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
Cyber Insight DarkStorm Team – Orange Cyberdefense, accessed April 15, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/DARKSTORMTEAM/DarkStormTeam-EN.pdf
Ransomware Spotlight: Akira | Trend Micro (US), accessed April 15, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-akira
Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself – Picus Security, accessed April 15, 2025, https://www.picussecurity.com/resource/blog/lynx-ransomware
Ransomware Spotlight: Rhysida | Trend Micro (US), accessed April 15, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida
Groups | MITRE ATT&CK®, accessed April 15, 2025, https://attack.mitre.org/groups
Akira: Modern ransomware with a retro vibe | Barracuda Networks Blog, accessed April 15, 2025, https://blog.barracuda.com/2025/02/11/akira–modern-ransomware-with-a-retro-vibe
Akira Ransomware | Outbreak Alert – FortiGuard Labs – Fortinet, accessed April 15, 2025, https://fortiguard.fortinet.com/outbreak-alert/akira-ransomware
Akira Ransomware | Outbreak Alert – FortiGuard Labs, accessed April 15, 2025, https://www.fortiguard.com/outbreak-alert/akira-ransomware
Rhysida ransomware: The creepy crawling criminal hiding in the dark – Barracuda Blog, accessed April 15, 2025, https://blog.barracuda.com/2024/05/09/rhysida-ransomware–the-creepy-crawling-criminal-hiding-in-the-d
Cracking Akira Ransomware: Prevention and Analysis by TTPs – Morphisec, accessed April 15, 2025, https://www.morphisec.com/blog/akira-ransomware-prevention-and-analysis/
Akira Ransomware – Trellix, accessed April 15, 2025, https://www.trellix.com/blogs/research/akira-ransomware/
#StopRansomware: Akira Ransomware | CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
Akira Ransomware: A Shifting Force in the RaaS Domain – Bitdefender, accessed April 15, 2025, https://www.bitdefender.com/en-au/blog/businessinsights/akira-ransomware-a-shifting-force-in-the-raas-domain
Inside Akira Ransomware’s Rust Experiment – Check Point Research, accessed April 15, 2025, https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/
Dragos Industrial Ransomware Analysis: Q3 2024, accessed April 15, 2025, https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q3-2024/
Types of Cyber Threat Actors That Threaten Healthcare | HHS.gov, accessed April 15, 2025, https://www.hhs.gov/sites/default/files/types-threat-actors-threaten-healthcare.pdf
NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 15, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
Noname057(16) – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Noname057(16)
Is There a DDoS Attack Ceiling? – Cyber Defense Magazine, accessed April 15, 2025, https://www.cyberdefensemagazine.com/is-there-a-ddos-attack-ceiling/
NoName057(16) – NetScout Systems, accessed April 15, 2025, https://www.netscout.com/blog/asert/noname057-16
Cybersecurity threats: NoName057 targets Italy’s financial sector | White Blue Ocean, accessed April 15, 2025, https://www.whiteblueocean.com/newsroom/ddos-attacks-rock-the-italian-financial-sector/
Pro-Russian Hacktivists Target Organizations in Austria With DDoS Attack Campaign, accessed April 15, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-hacktivists-target-organizations-in-austria-with-ddos-attack-campaign/
What Is Advanced Persistent Threat (APT) In Cybersecurity? – Picus Security, accessed April 15, 2025, https://www.picussecurity.com/resource/glossary/what-is-advanced-persistent-threat-apt
The Exodus Began: Alternatives for Telegram – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/the-exodus-began-alternatives-for-telegram/
THN Cybersecurity Recap: Top Threats and Trends (Sep 30 – Oct 6) – The Hacker News, accessed April 15, 2025, https://thehackernews.com/2024/10/thn-cybersecurity-recap-top-threats-and.html
Hackers Take Credit for X Cyberattack – SecurityWeek, accessed April 15, 2025, https://www.securityweek.com/hackers-take-credit-for-x-cyberattack/
Dark storm team claims responsibility for cyber attack on X platform – What it means for the future of digital security – ET CISO, accessed April 15, 2025, https://ciso.economictimes.indiatimes.com/news/ot-security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/119031271
Dark Storm Team Claims Responsibility for Cyber Attack on X Platform – What It Means for the Future of Digital Security – Check Point Blog, accessed April 15, 2025, https://blog.checkpoint.com/security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/
Twitter Outage: Cyberattack cripples X, Pro-Palestinian hacker group Dark Storm claims responsibility – The Economic Times, accessed April 15, 2025, https://m.economictimes.com/news/international/global-trends/twitter-outage-cyberattack-cripples-x-elon-musk-blames-large-group-or-nation-pro-palestinian-hacker-group-dark-storm-claims-responsibility/articleshow/118866728.cms
Who is Dark Storm Team, the hacking group allegedly behind X cyberattack? | World News, accessed April 15, 2025, https://www.hindustantimes.com/world-news/who-is-dark-storm-team-the-hacking-group-allegedly-behind-x-cyberattack-101741633891827.html
X Faces Cyberattack: Dark Storm Team Takes Credit, Musk Blames Ukraine – SOCRadar, accessed April 15, 2025, https://socradar.io/x-faces-cyberattack-dark-storm-team-takes-credit-musk-blames-ukraine/
Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed April 15, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
Massive DDoS on X: Dark Storm or Cyber Fog? | Bitsight, accessed April 15, 2025, https://www.bitsight.com/blog/massive-ddos-cyber-fog
Inc Ransom Attack Analysis – ReliaQuest, accessed April 15, 2025, https://reliaquest.com/blog/inc-ransom-attack-analysis/
Inc. Ransom | SentinelOne, accessed April 15, 2025, https://www.sentinelone.com/anthology/inc-ransom/
Ransomware Groups Demystified: Lynx Ransomware | Rapid7 Blog, accessed April 15, 2025, https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/
Ransomware Report 2023: targets, motives, and trends – Outpost24, accessed April 15, 2025, https://outpost24.com/blog/ransomware-report-2023-targets-motives-and-trends/
Port of Seattle Cyberattack: Rhysida Ransomware Breach and Recovery Efforts – Jacobson CPSC – About UCalgary WordPress – University of Calgary, accessed April 15, 2025, https://wpsites.ucalgary.ca/jacobson-cpsc/2024/11/07/port-of-seattle-cyberattack-rhysida-ransomware-breach-and-recovery-efforts/
#StopRansomware: Rhysida Ransomware | CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
Rhysida – SentinelOne, accessed April 15, 2025, https://www.sentinelone.com/anthology/rhysida/
An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector, accessed April 15, 2025, https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
CrowdStrike Threat Landscape: APTs & Adversary Groups, accessed April 15, 2025, https://www.crowdstrike.com/adversaries/
Threat Intelligence Management Services – IBM, accessed April 15, 2025, https://www.ibm.com/services/threat-intelligence
Threat Actor Groups Tracked by Palo Alto Networks Unit 42, accessed April 15, 2025, https://unit42.paloaltonetworks.com/threat-actor-groups-tracked-by-palo-alto-networks-unit-42/
Updates from Threat Analysis Group (TAG) – Google Blog, accessed April 15, 2025, https://blog.google/threat-analysis-group/
Threat actors | Latest Threats | Microsoft Security Blog, accessed April 15, 2025, https://www.microsoft.com/en-us/security/blog/threat-intelligence/threat-actors/
Cyber Threat Intelligence Company | Resecurity, accessed April 15, 2025, https://www.resecurity.com/context
MISP Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing, accessed April 15, 2025, https://www.misp-project.org/
APT33 Targets Aerospace & Energy Sectors | Spear Phishing | Google Cloud Blog, accessed April 15, 2025, https://cloud.google.com/blog/topics/threat-intelligence/apt33-insights-into-iranian-cyber-espionage/
ISRAEL GAZA CONFLICT : THE CYBER PERSPECTIVE – CYFIRMA, accessed April 15, 2025, https://www.cyfirma.com/research/israel-gaza-conflict-the-cyber-perspective/
Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector, accessed April 15, 2025, https://thehackernews.com/2025/03/suspected-iranian-hackers-used.html
OilRig Exposed: Unveiling the Tools and Techniques of APT34 – Picus Security, accessed April 15, 2025, https://www.picussecurity.com/resource/blog/oilrig-exposed-tools-techniques-apt34
Cyber Security Reports, accessed April 15, 2025, https://www.security.ntt/reports/Cyber-Security-Reports-10_v001.pdf
Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations – CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Watch out, GhostSec and Stourmous groups jointly conducting ransomware attacks, accessed April 15, 2025, https://securityaffairs.com/160066/cyber-crime/ghostsec-stourmous-ransomware.html
Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies – FBI, accessed April 15, 2025, https://www.fbi.gov/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies
#StopRansomware: BianLian Ransomware Group | CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a