Jan 20, 2026

I just heard about a major law enforcement crackdown on the ransomware group Black Basta, which is linked to Russia. Ukrainian and German authorities arrested two suspects in western Ukraine who were heavily involved in stealing corporate credentials and setting up ransomware attacks. During raids, they seized digital devices and cryptocurrency assets. Meanwhile, the alleged gang leader, Oleg Nefedov, remains at large and is now on Interpol’s wanted list. He is believed to be in Russia and is suspected of orchestrating attacks and handling ransom negotiations. This operation is critical because Black Basta has caused significant damage through ransomware extortion, demanding cryptocurrency payments.

In another case, a Jordanian man pleaded guilty to selling unauthorized access to more than 50 company networks by exploiting firewall vulnerabilities. He also distributed malware designed to bypass endpoint detection and escalate privileges, with one of his tools reportedly used on an FBI server during an undercover operation. This highlights the ongoing threat posed by access brokers who facilitate cybercrime by providing tools and network access to hackers, thereby increasing the risk of ransomware attacks and data breaches. Organizations need to be vigilant about securing their firewalls and monitoring for unauthorized access.

There’s also troubling news about internal conflicts at CISA, where the acting head’s effort to remove the agency’s chief information officer was blocked by political appointees. This leadership struggle threatens the stability of an agency tasked with protecting U.S. infrastructure from cyber threats. Any disruption here could delay critical cybersecurity initiatives, which is particularly concerning given the growing sophistication and frequency of cyberattacks targeting vital systems.

On the threat front, an Iranian phishing campaign aimed at stealing Gmail credentials and compromising WhatsApp accounts was uncovered. The attackers used a cleverly disguised phishing site, and researchers discovered their servers were poorly secured, exposing dozens of victims including prominent people in national security and business sectors. This incident underscores the ongoing danger of state-sponsored espionage and the urgent need for heightened vigilance around credential phishing, especially for high-value targets.

Finally, a ransomware attack on Ingram Micro affected over 42,000 individuals and businesses, illustrating that supply chain and service providers remain prime targets for cybercriminals. Organizations relying on Ingram Micro’s services should urgently assess their exposure and bolster their incident response plans. Alongside this, vulnerabilities in widely used products like TP-Link cameras and Cisco equipment continue to pose serious risks. These developments make it clear that proactive patch management and strong security hygiene are essential across all industries to minimize the impact of such attacks.

Stay Well!