Olivia
Online
Pr0meth3us🔥
@MrRightQuestion
Security Researcher @Morphisec 🕵👨💻 Reporting intelligence assessments and breaking malware 👾📄
Make the world safe 🛡🌐
Closer than you think
Joined October 2021
158 Following
43 Followers
145 Posts
Pinned Tweet
My latest research of #Pay2Key #Linux #Ransomware is out.
I first covered that variant generation ability back in July 2025 through the Pay2Key[.]I2P platform.
After completing the reversing process it hit me. That there is more to it.
Linux ransomware doesn’t get nearly as much attention as Windows threats. 🐧
But that’s changing.
Many ransomware groups are quietly adding Linux variants to target the infrastructure organizations depend on most: servers, virtualization hosts, and cloud workloads.
Morphisec Threat Labs recently analyzed the Pay2Key Linux ransomware variant - a configuration-driven encryptor designed to:
🔹Traverse large filesystem environments
🔹Disable Linux defenses like SELinux and AppArmor
🔹Encrypt data using configurable ChaCha20 modes
🔹Maintain stability to avoid crashing hosts mid-attack
Even more interesting? Many of the techniques used here are showing up across multiple ransomware families targeting Linux environments today.
In this research, we break down how the malware operates and what security teams need to understand about the growing Linux ransomware threat landscape. Read the blog and the full threat analysis - Links in the comments.
Avoid overclaim and subjective terms when reporting the findings, jumping to conclusion will only hurt your knees and leave a bad mark on future findings.
Okay, I'll say it.
#Intelligence does not need more numbers and statistics most of the people present in the room where this should matter can't read anyway.
Instead, do the effort and explain (in simple terms 👀) the context of the intelligence research and provide evidence based unfolding of events.
@ZackKorman Looks like the natural fallout of the same problem you mentioned in your other post, sales becoming really good with pitches it is now turning to "Our security against X is Y's product".
Honestly? If you can't properly understand the threat any product becomes a fitting solution.
@MosheTov Cursor file size only competing with CoD:MW install file ~300GB
Ayo! Remember how #VECT 2.0 was soooo poorly written it actually turned it into a wiper because Vect let the nonce go out the window?
Well y'all gonna want to read my buddy's report.
Uh and another small thing... @morphisec's product can ACTUALLY decrypt large files back
What happens when ransomware can't even decrypt the files it encrypted?
This latest blog from Morphisec threat researcher Yonatan Edri takes a closer look at VECT ransomware and uncovers a troubling reality: some victims may be left with files that are renamed, partially encrypted, corrupted, or otherwise unrecoverable - even when a decryptor is available.
While researchers have already documented VECT's nonce management flaw, our analysis found additional Windows-specific implementation issues that can create inconsistent file states and complicate recovery efforts.
Key findings:
✅Files are renamed before encryption begins, meaning a .vect extension doesn't necessarily indicate successful encryption.
✅Medium-sized files may be processed through a flawed buffer handling routine, potentially resulting in failed or incomplete encryption.
✅Shared global buffers introduce the possibility of file corruption under concurrent execution.
✅Large files can be modified using multiple encryption operations while retaining insufficient metadata for reliable restoration.
The result? Not all ransomware incidents produce cleanly encrypted files—and not all decryptors can put them back together.
The research reinforces an important lesson for defenders: recovery is not always guaranteed. Organizations need security strategies focused on preventing ransomware execution before encryption occurs, while maintaining the ability to recover affected files when attacks succeed.
Read the full analysis - link in the comments.
Show me AI being prosecuted for malpractice in hospitals or white collar crimes because it failed to comply with tax regulations and we can talk.
@angelshalagina In civilized sociaties it is easier to convice the reasonable to compromise instead of battling the unreasonable, because tactically it achieves a faster resolution while
strategically it fails to resolve the issue. On a personal note, this is sad.
@vxunderground Imagine phishing emails being as polite as smelly when comes to downloading malware, a utopian world.
@ZackKorman Can we do the CTI community copy-pasting posts from forums calling this "intel" next? 😉
@MosheTov Their loss man, you got some good pieces to talk about
People working in Threat Intel & AI, this is your time 😉
@_turcid NOW I CAN SEE THE WHALESSSSSSS
@MosheTov 20k signing bonus
🌏 Nova Ransomware Expands Public Leak Operations
The group known as “Nova Ransomware” has published multiple new alleged victims on its leak platform, including organizations from Brazil’s technology and e-commerce sectors.
The post references several companies and claims large volumes of internal corporate data were exfiltrated and published after failed negotiations.
This type of “leak spread” activity continues to highlight how modern ransomware groups increasingly rely on:
public exposure
reputational pressure
staged leak releases
psychological operations against victims
At this stage, the authenticity and scope of the exposed data remain unverified.
DDW is monitoring the activity for additional validation, victim confirmation, and technical indicators.
#Ransomware #CyberSecurity #DataLeak #ThreatIntel #DarkWeb #Infosec #DDW
🌏 Nova Ransomware Expands Public Leak Operations
The group known as “Nova Ransomware” has published multiple new alleged victims on its leak platform, including organizations from Brazil’s technology and e-commerce sectors.
The post references several companies and claims large volumes of internal corporate data were exfiltrated and published after failed negotiations.
This type of “leak spread” activity continues to highlight how modern ransomware groups increasingly rely on:
public exposure
reputational pressure
staged leak releases
psychological operations against victims
At this stage, the authenticity and scope of the exposed data remain unverified.
DDW is monitoring the activity for additional validation, victim confirmation, and technical indicators.
#Ransomware #CyberSecurity #DataLeak #ThreatIntel #DarkWeb #Infosec #DDW
@RussianPanda9xx Sounds about right 😂😂😂
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.1M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.3M followers
Kim Kardashian
@kimkardashian
69.4M followers
Virat Kohli
@imvkohli
68.7M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers