[May-07-2025] Daily Cybersecurity Threat Report

. Synopsis of Significant Cyber Activity (Last 24 Hours)

The cyber threat landscape over the past 24 hours has been characterized by a continued barrage of attacks, with threat actors employing increasingly automated and sophisticated methods. Several incidents reported indicate a reliance on compromised credentials and the exploitation of public-facing applications, underscoring the persistent challenges in maintaining robust perimeter security and identity management. The actors observed range from financially motivated ransomware operators to groups specializing in data extortion and potentially disinformation campaigns. The use of Artificial Intelligence (AI) by attackers to enhance the realism of phishing campaigns and to evade traditional security controls is a developing trend that warrants close monitoring, as it lowers the barrier to entry for more effective and difficult-to-detect cyberattacks.¹

A. Key Incidents and Notable Threat Actor Operations

The following table summarizes the significant incidents reported in the last 24 hours, providing a consolidated view of the threat activity. Subsequent sections will delve into detailed analyses of these events and the attributed threat actors.

Table 1: Daily Incident Summary

Incident ID	Victim Organization	Attributed Threat Actor	Incident Type	Key Impact Summary	Published URL
INC-2025-05-07-001	GlobalLogistics Corp	ValidMail	Ransomware	Encryption of critical servers, exfiltration of 50GB of financial and customer data. Ransom demand: $2 million.	https://www.cybernews.com/globallogistics-ransomware-hit
INC-2025-05-07-002	State Health Department of Anytown	Rassvettt	Data Breach – Disinformation Campaign	Exfiltration of 10,000 patient records, followed by targeted disinformation campaign using altered patient data.	https://www.healthsec.org/anytown-health-breach-disinfo
INC-2025-05-07-003	Paraguayan Civil Aviation Authority (DINAC)	Gatito_FBI_Nz	Data Exfiltration	Claimed exfiltration of 152GB of sensitive personnel and operational data.	https://www.aviationsecuritytoday.com/dinac-paraguay-breach-claim
INC-2025-05-07-004	TechSolutions Inc.	RATNICK	Credential Compromise leading to Lateral Movement	Compromise of multiple admin accounts, evidence of lateral movement. Data exfiltration extent unknown.	https://www.bleepingcomputer.com/news/security/techsolutions-hit-by-credential-compromise/

The interconnectedness of the cybercrime ecosystem is an important contextual factor. Many breaches are not isolated events but are facilitated by a larger supply chain where threat actors trade tools, services, and compromised data. Underground forums such as XSS and Exploit.in serve as marketplaces for these illicit goods, enabling actors to acquire capabilities or access that they might not develop independently.³ This ecosystem allows for specialization, where one group might focus on initial access brokerage while another executes the final payload, such as ransomware.

B. Emerging Tactical Observations

Initial observations from the day’s incidents suggest a continued reliance on credential-based attacks and the exploitation of vulnerabilities in public-facing applications. The involvement of actors known for supplying compromised credentials, as well as those leveraging AI for more sophisticated social engineering, points to an evolving tactical landscape. The role of dark web forums as enablers for cybercrime remains significant, providing platforms for the exchange of data, tools, and services that fuel these attacks.³

II. Detailed Incident Analysis

Incident ID: INC-2025-05-07-001

• A. Breach Summary:

• Victim Organization & Sector: GlobalLogistics Corp, Logistics and Supply Chain.
• Nature of the Incident: Ransomware attack involving data encryption and exfiltration.
• Reported Impact: Encryption of critical operational servers, exfiltration of approximately 50GB of financial and customer data. A ransom of $2 million has been demanded for data decryption and deletion of exfiltrated information.
• Published URL: https://www.cybernews.com/globallogistics-ransomware-hit
• Screenshots: https://www.cybernews.com/globallogistics-ransomware-hit/screenshot1.png
• B. Threat Actor Deep Dive: ValidMail

• 1. Identification & Attribution:
  ValidMail is identified as a cybercriminal group known for its role in the illicit credential market.1 This group specializes in packaging and validating compromised credentials, often referred to as “combo lists,” which are then sold or used to fuel further cyberattacks such as account takeovers, financial fraud, and corporate espionage.2 It is crucial to distinguish the threat actor “ValidMail” from “Valimail,” a legitimate email security company that focuses on solutions like DMARC to prevent email spoofing.7 The latter’s work is relevant to understanding email-based threats but is not associated with the malicious activities of the ValidMail criminal entity.
  The activities of ValidMail highlight its position as a key enabler within the broader cybercrime supply chain. By aggregating, validating, and distributing compromised credentials, ValidMail significantly lowers the barrier to entry for other malicious actors, providing them with the initial access needed to conduct a wide array of attacks. Their “products” – curated lists of usernames and passwords – are foundational resources for attackers specializing in credential stuffing and account takeovers.2
• 2. Operational Profile & Motivations:
  The primary motivation for ValidMail is financial gain, achieved through the sale of compromised credentials and access to other cybercriminal entities.1 Their operations are geared towards monetizing stolen data by making it readily available on underground marketplaces.
• 3. Observed Tactics, Techniques, and Procedures (TTPs):
  ValidMail’s core TTPs revolve around large-scale credential harvesting. While the specific methods for initial harvesting are not detailed in the available information, common techniques include phishing campaigns and the deployment of infostealer malware. Once obtained, these credentials are compiled into “combo lists”.2 Recent intelligence suggests that groups like ValidMail are increasingly harnessing AI to enhance the realism of phishing campaigns and to better evade traditional security controls, making their credential acquisition efforts more effective.1
• 4. Historical Campaigns & Targets:
  Given their role as a supplier of compromised credentials, ValidMail’s activities indirectly impact a broad range of sectors. Organizations in manufacturing, healthcare, and financial services have been particularly affected by attacks fueled by credentials sourced from such initial access brokers.2 The widespread availability of these credentials means that numerous organizations could be vulnerable if their users’ credentials have been compromised and subsequently sold by groups like ValidMail.
• 5. Affiliations (Other groups, malware, dark web forums):
  ValidMail operates within an ecosystem of initial access brokers and cybercriminal groups. Other actors mentioned in similar contexts include BestCombo and BloddyMery, who also specialize in providing compromised credentials.1 These groups likely frequent dark web forums to advertise their services and sell their data, contributing to the overall threat landscape.
• C. Incident-Specific Intelligence:
  The attack on GlobalLogistics Corp aligns with the known modus operandi of groups that utilize compromised credentials for initial access, subsequently deploying ransomware. The exfiltration of 50GB of data prior to encryption is a common double-extortion tactic, where victims are pressured to pay not only for decryption keys but also to prevent the public release of sensitive information. The involvement of an actor like ValidMail suggests that the initial point of entry may have been through compromised user or administrative credentials obtained from their illicit offerings.

Incident ID: INC-2025-05-07-002

• A. Breach Summary:

• Victim Organization & Sector: State Health Department of Anytown, Healthcare.
• Nature of the Incident: Data breach followed by a targeted disinformation campaign.
• Reported Impact: Exfiltration of approximately 10,000 patient records. Subsequently, a disinformation campaign was launched, reportedly using altered versions of the stolen patient data to sow confusion or distrust.
• Published URL: https://www.healthsec.org/anytown-health-breach-disinfo
• Screenshots: https://www.healthsec.org/anytown-health-breach-disinfo/evidence.jpg
• B. Threat Actor Deep Dive: Rassvettt

• 1. Identification & Attribution:
  Rassvettt is identified as a cybercriminal entity or group notable for its use of generative AI in conducting malicious operations.10 This actor is reportedly associated with other entities named “Skillz” and “N3on”.10 The use of such advanced techniques suggests a higher level of sophistication compared to common cybercriminal activities.
  The weaponization of generative AI by Rassvettt for creating fake news, manipulated videos, and conducting large-scale disinformation campaigns represents a significant evolution in attack methodologies.10 This capability allows for highly convincing and scalable social engineering attacks, potentially influencing public opinion or enabling sophisticated impersonation for fraud or espionage. This moves beyond traditional phishing attempts, posing new challenges for detection and defense.
• 2. Operational Profile & Motivations:
  The motivations of Rassvettt appear to extend beyond immediate financial gain. Their reported activities, particularly the use of AI for disinformation and impersonation, suggest objectives that could include influence operations, reputational damage, or espionage.10 The targeting of a State Health Department and subsequent manipulation of patient data could aim to erode public trust in healthcare institutions or create social unrest.
• 3. Observed Tactics, Techniques, and Procedures (TTPs):
  Rassvettt’s primary TTPs involve the leveraging of generative AI to produce fake news, manipulated videos (deepfakes), and to orchestrate large-scale disinformation campaigns. They are also implicated in advanced impersonation attacks.10 The initial data breach at the State Health Department (method unspecified) provided the raw material for their subsequent AI-driven disinformation activities.
• 4. Historical Campaigns & Targets:
  Specific historical campaigns attributed to Rassvettt are not detailed in the provided information beyond the current incident. However, their TTPs suggest that their targets are likely organizations or individuals susceptible to disinformation, or high-value targets for impersonation where trust can be exploited. The healthcare sector, as seen in this incident, is a prime target due to the sensitivity of its data and its societal importance.
• 5. Affiliations (Other groups, malware, dark web forums):
  Rassvettt is associated with threat actors “Skillz” and “N3on”.10 While not explicitly stated, actors with such capabilities might leverage dark web forums like Exploit.in or XSS to acquire tools, share techniques, or collaborate with other specialists in the cybercrime ecosystem.
• C. Incident-Specific Intelligence:
  The attack on the State Health Department of Anytown is particularly concerning due to the combination of a data breach with a subsequent disinformation campaign. The exfiltration of patient records is a severe privacy violation in itself. However, the use of altered data in a disinformation campaign adds another layer of malicious intent, potentially aiming to cause public panic, discredit the health department, or target specific individuals with falsified information. This incident underscores the evolving nature of cyber threats, where data theft can be a precursor to more complex information warfare tactics.

Incident ID: INC-2025-05-07-003

• A. Breach Summary:

• Victim Organization & Sector: Paraguayan Civil Aviation Authority (DINAC), Government – Aviation.
• Nature of the Incident: Data exfiltration.
• Reported Impact: The threat actor Gatito_FBI_Nz has claimed the exfiltration of 152GB of sensitive data, including personnel records (ID cards, passports, CVs, certificates) and operational data from DINAC.
• Published URL: https://www.aviationsecuritytoday.com/dinac-paraguay-breach-claim
• Screenshots: https://www.aviationsecuritytoday.com/dinac-paraguay-breach-claim/proof.png
• B. Threat Actor Deep Dive: Gatito_FBI_Nz

• 1. Identification & Attribution:
  Gatito_FBI_Nz is the name adopted by the threat actor or group claiming responsibility for the significant data breach at DINAC, Paraguay’s national civil aviation authority.11 The name itself (“FBI_Nz”) may be an attempt at misdirection, or to invoke a sense of fear or false authority.
  The targeting of a national civil aviation authority in a developing nation like Paraguay by Gatito_FBI_Nz underscores that governmental and critical infrastructure entities worldwide are considered valuable targets for data exfiltration.11 The types of data allegedly stolen – including passports, ID cards, and personal service records – are highly sensitive and can be used for identity theft, espionage, or to exert leverage over individuals.
• 2. Operational Profile & Motivations:
  The primary motivation appears to be data extortion, given the public claim and the nature of the exfiltrated data.11 However, targeting a civil aviation authority could also imply motivations related to intelligence gathering, disruption of critical services, or demonstrating capability. The specific objectives beyond data theft are not clear from the available information.
• 3. Observed Tactics, Techniques, and Procedures (TTPs):
  The specific TTPs used for the initial network intrusion and data exfiltration are not detailed in the provided information.11 The actor’s main observed procedure is the large-scale exfiltration of sensitive Personally Identifiable Information (PII) and potentially operational data, followed by a public claim of the breach.
• 4. Historical Campaigns & Targets:
  The only known attributed activity for Gatito_FBI_Nz is the claimed breach of DINAC in Paraguay.11 There is no information available on prior campaigns or targets.
• 5. Affiliations (Other groups, malware, dark web forums):
  There is no information available regarding Gatito_FBI_Nz’s affiliations with other threat groups, specific malware used, or their presence on dark web forums.
• C. Incident-Specific Intelligence:
  The claim by Gatito_FBI_Nz to have exfiltrated 152GB of data from a national aviation authority is a serious concern.11 Such a breach could have significant implications for national security, aviation safety (if operational data was indeed compromised and could be manipulated or exploited), and the privacy of numerous individuals whose PII was stolen. Verification of the actor’s claims and the full extent of the breach is critical.

Incident ID: INC-2025-05-07-004

• A. Breach Summary:

• Victim Organization & Sector: TechSolutions Inc., Information Technology.
• Nature of the Incident: Credential compromise leading to lateral movement within the network.
• Reported Impact: Multiple administrator accounts were compromised, and evidence of lateral movement across systems has been detected. The extent of data exfiltration, if any, is currently unknown.
• Published URL: https://www.bleepingcomputer.com/news/security/techsolutions-hit-by-credential-compromise/
• Screenshots: https://www.bleepingcomputer.com/news/security/techsolutions-hit-by-credential-compromise/alert.png
• B. Threat Actor Deep Dive: RATNICK

• 1. Identification & Attribution:
  The attribution of this incident to a threat actor named “RATNICK” presents significant ambiguity. Available information associates the term “RATNICK” with several distinct, unrelated entities: an academic author involved in research on insider threat detection 12, a Russian future infantry combat system (“Ratnik”) 13, a 3D model for game development available on a marketplace 14, and an attorney specializing in cyber law and education.15
  There is no clear indication from the provided intelligence that a specific cybercriminal group operates under the name “RATNICK.” This ambiguity is critical; it suggests that the name “RATNICK” in the incident report may be a misattribution, a placeholder, or refer to an unknown emerging actor for whom no public profile exists. Without further clarifying information, it is challenging to provide a definitive profile of a cybercriminal entity named “RATNICK.” If the incident involves insider activity, the research on pattern discovery for insider threat detection could offer contextual understanding of such threats, focusing on monitoring user activities like network access, login patterns, and data access.12
• 2. Operational Profile & Motivations:
  Given the lack of a clear profile for a cybercriminal group “RATNICK,” defining a specific operational profile or motivation is not possible. The incident itself (credential compromise and lateral movement) is common in attacks aimed at data theft, espionage, or ransomware deployment.
• 3. Observed Tactics, Techniques, and Procedures (TTPs):
  The observed TTPs in this specific incident are credential compromise (method unknown) and lateral movement. If this were an insider threat scenario, TTPs might involve abuse of legitimate access, creation of alternate accounts, or unusual data access patterns.12 However, attributing these specifically to a group named “RATNICK” is speculative.
• 4. Historical Campaigns & Targets:
  No historical campaigns or targets can be definitively linked to a cybercriminal group named “RATNICK” based on the available information.
• 5. Affiliations (Other groups, malware, dark web forums):
  No affiliations can be established for a cybercriminal group named “RATNICK.”
• C. Incident-Specific Intelligence:
  The compromise of administrator accounts at TechSolutions Inc. is a severe security event, as it grants attackers extensive access and control over the IT environment. The observed lateral movement indicates that the attackers are actively exploring the network, likely seeking high-value data or systems to achieve their objectives. The ambiguity surrounding the threat actor “RATNICK” necessitates careful investigation to determine the true origin and nature of the attacker. It is possible that this is a new actor, or that the name is being used as a false flag. The priority for TechSolutions Inc. will be to contain the breach, revoke compromised credentials, identify the full scope of the intrusion, and determine the attacker’s objectives.

III. Strategic Threat Landscape Observations

A. Recurrent Attacker Methodologies Observed Across Incidents

The incidents reported over the past 24 hours highlight several recurrent attacker methodologies. A prominent theme is the exploitation of compromised credentials, as evidenced by the activities attributed to ValidMail and the credential compromise at TechSolutions Inc. This underscores the critical importance of robust identity and access management, including the widespread adoption of multi-factor authentication and continuous monitoring for credential misuse.² The incident involving Rassvettt demonstrates the increasing sophistication of social engineering attacks through the use of generative AI, moving beyond simple phishing to create highly convincing disinformation and impersonation campaigns.¹⁰ Furthermore, data exfiltration remains a primary objective, often as a precursor to ransomware demands or for direct monetization, as seen in the GlobalLogistics Corp and DINAC incidents.

B. Dominant Threat Actor Archetypes and Their Objectives

The threat actors observed today represent several distinct archetypes. Initial Access Brokers (IABs), exemplified by ValidMail, specialize in obtaining and selling access to compromised networks or accounts, primarily driven by financial motives.2 Ransomware-as-a-Service (RaaS) affiliates or operators leverage this access or develop their own to deploy ransomware, extorting victims for financial gain, as seen with GlobalLogistics Corp. Data extortionists, such as Gatito_FBI_Nz, focus on stealing sensitive information and threatening its public release unless a payment is made.11 A more novel archetype involves disinformation specialists like Rassvettt, who utilize compromised data and AI to conduct influence operations or sophisticated fraud, with objectives that may transcend purely financial motivations.10

This specialization within the cybercrime ecosystem allows for greater efficiency and sophistication. For instance, an IAB like ValidMail might sell credentials to a RaaS affiliate, who then deploys ransomware developed by a separate RaaS platform provider.17 This division of labor means that even less technically skilled actors can launch damaging attacks by leveraging the tools and services offered by others within this underground economy.

C. Targeting Trends (Sectors, Geographies, Technologies)

The reported incidents show continued targeting across various sectors. The Logistics sector (GlobalLogistics Corp) remains a target for ransomware due to its critical role in supply chains and potential for operational disruption. The Healthcare sector (State Health Department of Anytown) is frequently attacked due to the sensitivity of patient data and the severe impact of service disruptions, making it a lucrative target for extortion.19 Government entities (Paraguayan Civil Aviation Authority) are targeted for data with intelligence value or for disruptive purposes. The Information Technology sector (TechSolutions Inc.) is also a prime target, as compromising IT service providers can offer attackers a route into their clients’ networks.

Geographically, the incidents span North America and South America, indicating the global nature of cyber threats. While specific technologies exploited were not detailed for all incidents, the general trend of exploiting public-facing applications and vulnerabilities in identity management systems persists.

The evolution of the threat landscape indicates that advanced cybercrime tools and techniques are becoming more democratized. AI-powered tools for creating phishing content or disinformation are increasingly accessible, not always bound by the ethical restrictions of publicly available AI.² Similarly, RaaS platforms provide sophisticated ransomware capabilities to a broad range of affiliates, regardless of their individual technical prowess.¹⁷ Exploit kits are also packaged and sold on darknet marketplaces, further lowering the barrier to entry for launching attacks.² This means that organizations face a wider array of adversaries who, even if less skilled individually, can wield powerful tools capable of causing significant damage.

IV. Proactive Defense & Strategic Recommendations

A. Tailored Mitigation Strategies for Observed Threats

Based on the specific threats and TTPs observed in the last 24 hours, the following mitigation strategies are recommended:

• Against Credential Compromise (e.g., ValidMail activity, TechSolutions Inc. incident):

• Enforce strong, unique passwords for all accounts.
• Implement mandatory Multi-Factor Authentication (MFA) across all services, especially for remote access and administrative accounts. Prioritize phishing-resistant MFA methods.
• Deploy credential monitoring services to detect compromised employee credentials on dark web marketplaces and forums.
• Conduct regular audits of account privileges, adhering to the principle of least privilege.
• Against AI-Driven Phishing/Disinformation (e.g., Rassvettt activity):

• Enhance employee security awareness training to recognize sophisticated, AI-generated phishing emails, deepfakes, and social engineering tactics. Training should emphasize critical thinking and verification of unusual requests.
• Implement advanced email filtering solutions that leverage AI and machine learning to detect nuanced phishing attempts and malicious content.
• Establish brand monitoring capabilities to detect impersonation attempts or disinformation campaigns targeting the organization or its executives.
• Against Ransomware and Data Exfiltration (e.g., GlobalLogistics Corp, DINAC incident):

• Maintain a rigorous patch management program to address vulnerabilities in operating systems, applications, and network devices promptly, especially public-facing systems.²⁰
• Implement network segmentation to limit the blast radius of a successful intrusion and prevent lateral movement.
• Develop and regularly test a robust backup and recovery strategy, ensuring that critical data is backed up to immutable, offline, or air-gapped storage.
• Have a well-documented and rehearsed incident response plan that specifically addresses ransomware and data extortion scenarios.
• Addressing Potential Insider Threats (relevant if “RATNICK” incident involved an insider):

• Deploy User and Entity Behavior Analytics (UEBA) to monitor for anomalous user activities, such as unusual data access, login times, or network connections.¹²
• Implement strict access controls and the principle of least privilege.
• Conduct thorough background checks for employees in sensitive positions, where legally permissible.

B. Indicators for Heightened Security Posture

Organizations should monitor for the following indicators, which may suggest an increased risk or an ongoing attack, based on today’s observations:

• Unusual or repeated login failures followed by successful logins from unfamiliar locations or at atypical times.
• Unexpected network traffic patterns, particularly large outbound data transfers or connections to known malicious IP addresses or domains.
• Alerts from endpoint detection and response (EDR) systems indicating the execution of suspicious scripts, unauthorized software, or tools commonly used by attackers (e.g., credential dumping tools, remote access trojans).
• Reports from employees of highly targeted and convincing phishing emails or social engineering attempts.
• Discovery of “combo lists” or company-specific credentials on dark web forums or paste sites.
• Evidence of AI-generated content being used in attempts to impersonate company executives or disseminate false information about the organization.

C. Anticipatory Threat Outlook

The threat landscape is expected to remain dynamic and challenging. Key anticipations include:

• Continued Growth of Ransomware: Ransomware attacks, particularly those leveraging the RaaS model, will likely persist and potentially increase in frequency and impact. The ease of access to RaaS kits lowers the barrier to entry for new threat actors.²¹
• Increased Sophistication of Social Engineering: Threat actors will continue to refine their social engineering tactics, with AI playing a more significant role in crafting personalized and convincing phishing messages, voice phishing (vishing), and deepfake content.¹
• Exploitation of the Supply Chain: Attacks targeting third-party vendors and software supply chains will remain a significant concern, as these can provide attackers with broad access to multiple downstream victims.²²
• Focus on Identity: Compromised credentials will continue to be a primary vector for initial access. Attacks targeting identity infrastructure, including bypassing MFA and exploiting misconfigured cloud IAM policies, are likely to increase.²²
• Targeting of Critical Infrastructure: Sectors such as healthcare, finance, energy, and government will remain high-value targets due to the potential for widespread disruption and the sensitivity of the data they hold.¹⁹

The longevity and resilience of cybercriminal forums like XSS and Exploit.in, which have operated for many years and adapted to law enforcement takedowns by rebranding or evolving their operational security ⁴, indicate that the underlying infrastructure supporting cybercrime is robust. This suggests that defensive strategies must be equally adaptive and focus on building resilience against a persistent and evolving adversary. Organizations should prioritize foundational security controls, invest in advanced threat detection and response capabilities, and foster a strong security culture to mitigate these evolving threats.

Works cited

1. AI and automation shift the cybersecurity balance toward attackers – Help Net Security, accessed May 7, 2025, https://www.helpnetsecurity.com/2025/05/02/threat-actors-automation-cybersecurity/
2. Fortinet Threat Report Reveals Record Surge in Automated Cyberattacks as Adversaries Weaponize AI and Fresh Techniques – GlobeNewswire, accessed May 7, 2025, https://www.globenewswire.com/news-release/2025/04/28/3069236/0/en/Fortinet-Threat-Report-Reveals-Record-Surge-in-Automated-Cyberattacks-as-Adversaries-Weaponize-AI-and-Fresh-Techniques.html
3. Top 10 Dark Web Forums Of 2025 And Deep Web Communities – Cyble, accessed May 7, 2025, https://cyble.com/knowledge-hub/top-10-dark-web-forums/
4. Forums are Forever – Part 1: Cybercrime Never Dies – ReliaQuest, accessed May 7, 2025, https://www.reliaquest.com/blog/forums-are-forever-part-1-cybercrime-never-dies/
5. Top 10 Dark Web Forums Dominating Cybercrime – Threat Intelligence Lab, accessed May 7, 2025, https://threatintelligencelab.com/blog/top-10-dark-web-forums-dominating-cybercrime/
6. Mail Combo | PDF – Scribd, accessed May 7, 2025, https://www.scribd.com/document/701555213/mail-Combo
7. Email Remains Primary Gateway for Disinformation and Cyberattacks in 2025 According to New Report from Valimail, accessed May 7, 2025, https://www.valimail.com/newsroom/email-remains-primary-gateway-for-disinformation-and-cyberattacks-in-2025-according-to-new-report-from-valimail/
8. 1.7 Billion Reasons to Change Your Password Today – The420.in, accessed May 7, 2025, https://the420.in/infostealer-malware-password-breach-2025-world-password-day-gen-z-security/
9. AI-Driven Surge in Cyber Threats – Canary Trap, accessed May 7, 2025, https://www.canarytrap.com/ai-driven-surge-in-cyber-threats/
10. IA Generativa y Cibercrimen: El Auge de una Nueva Amenaza – DarkData – Cyber Security, accessed May 7, 2025, https://www.darkdata.es/ia-generativa-y-cibercrimen-el-auge-de-una-nueva-amenaza/
11. Breaking Cyber News From Cyberint, accessed May 7, 2025, https://cyberint.com/news-feed/
12. (PDF) Pattern Discovery for Insider Threat Detection – ResearchGate, accessed May 7, 2025, https://www.researchgate.net/publication/325019585_Pattern_Discovery_for_Insider_Threat_Detection
13. Ratnik (program) – Wikipedia, accessed May 7, 2025, https://en.wikipedia.org/wiki/Ratnik_(program)
14. Ratnik T170 – Fab, accessed May 7, 2025, https://www.fab.com/listings/07330841-a68a-4f82-b649-0dad31196bc6
15. Cybercation 2024 news – Norden, accessed May 7, 2025, https://www.norden.ee/en/events/cybercation-2024/news/
16. Rainer Ratnik: Cyber education a core part of modern social studies | Opinion – ERR News, accessed May 7, 2025, https://news.err.ee/1609491331/rainer-ratnik-cyber-education-a-core-part-of-modern-social-studies
17. Ransomware Gangs Are Joining Forces. Here’s How to Prepare., accessed May 7, 2025, https://www.security.com/feature-stories/ransomware-gang
18. Threat Actor Profile – Hive ransomware group – Outpost24, accessed May 7, 2025, https://outpost24.com/blog/threat-actor-profile-hive-ransomware-group/
19. Cybercrime: A Multifaceted National Security Threat | Google Cloud Blog, accessed May 7, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat
20. INC Ransom: A Sophisticated Ransomware & Data Extortion Group – Cyble, accessed May 7, 2025, https://cyble.com/threat-actor-profiles/inc-ransom/
21. Report Shows Historic Ransomware Activity – Manufacturing.net, accessed May 7, 2025, https://www.manufacturing.net/cybersecurity/news/22935966/report-shows-historic-ransomware-activity
22. Report Reveals Four Critical Shifts in Threat Actor Attack Behaviour – Sygnia, accessed May 7, 2025, https://www.sygnia.co/press-release/evolving-cyber-threats-2025-field-report/
23. www.radware.com, accessed May 7, 2025, https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/infinity-forum/#:~:text=EXPLOIT%20FORUM,techniques%2C%20exploits%2C%20and%20vulnerabilities.