Skip to main content

Insights & Intelligence

Expert knowledge from the frontlines of ransomware defense. Industry leaders share actionable intelligence, novel workflows, and cutting-edge research to help you stay ahead of threats.

Latest Intelligence

Expert research and analysis from the frontlines

Threat Intelligence35 min read

DragonBreath: Dragon in the Kernel

A 0-day BYOVD vulnerability in dragoncore_k.sys signed by Zhengzhou 403 Network Technology, with shell company analysis, Dragon Breath APT-Q-27 attribution, and an APT31 / Wuhan Xiaoruizhi personnel nexus.

Alex Necula & Ellis Stannard

April 22, 2026

+3 contributors

Threat Intelligence10 min read

0APT Hacked - And Then Got Hacked Back

An extortion-minded threat actor known as 0APT breached the Krybit ransomware admin panel — and within hours was counter-hacked by Krybit. A look inside both operations, the chat transcript, and the recovered Android-hosted infrastructure.

Corsin Camichel, Dani [Varys] Z, Ellis Stannard, Eric Taylor, Katya Kandratovich

April 14, 2026

Threat Advisory3 min read

Iran-linked hackers access U.S. Water Utilities East Coast - Advisory

A Unified Threat Advisory on Iran-linked hackers targeting small U.S. East Coast water utilities via Eclipse 9800i PLCs, and technical details of the TRK25-ADVANCED Python GUI ICS reconnaissance and exfiltration tool.

Reyben Cortes

April 9, 2026

+4 contributors

Threat Advisory45 min read

Supply Chain Confidence: What Every Organisation Needs to Know

A threat advisory covering TeamPCP’s multi-stage supply chain campaign through Trivy, npm, LiteLLM, Telnyx, and Axios — with 11 prioritised defensive recommendations for organisations of all sizes.

Ransom-ISAC Research Team

April 3, 2026

+12 contributors

Vulnerability Research30 min read

You’re Driving Me Crazy: Analysing and Detecting BYOVD

A deep-dive technical reference for SOC teams and threat hunters covering BYOVD attack analysis, kernel driver reverse engineering, KQL detection queries, and defensive hardening with WDAC policies.

Alex Necula

April 3, 2026

+3 contributors

Threat Intelligence30 min read

Contagious Interview: VS Code to RAT

A DPRK-affiliated social engineering campaign weaponises VS Code trusted features to deliver RATs through fake job interviews, with full attack chain analysis, malware breakdown, infrastructure tracking, and IOCs.

François-Julien Alcaraz & Yashraj Solanki

March 16, 2026

+3 contributors

Threat Intelligence30 min read

Ransomware in Healthcare: Three Years of Insight

A case study exploring how deeper insight emerges when analysis moves beyond high-level sector classifications on Dedicated Leak Sites and instead focuses on the specific subsectors within which entities operate.

Jeffrey Bell

February 19, 2026

+3 contributors

DFIR30 min read

Ransomware Leak Collection & Analysis

A structured intelligence workflow for ransomware leak data collection and LLM-assisted analysis, from automated Tor-based collection to agentic reasoning and intelligence dissemination.

Apurv Singh Gautam

February 6, 2026

+4 contributors

Threat Intelligence55 min read

Safely Tracking Ransomware Affiliates

An ethical and reproducible HUMINT-style workflow for safely observing ransomware affiliates using synthetic personas, tactical empathy, and rigorous operational security.

Matthew Maynard

December 29, 2025

+5 contributors

Threat Intelligence35 min read

Cross-Chain TxDataHiding Crypto Heist: A Very (Very) Chainful Process (Part 4)

Follow the money through on-chain analysis, tracing stolen funds across BSC and TRON blockchains and connecting wallet addresses directly to other DPRK exchange thefts. Blockchain forensic evidence ties this campaign to a broader pattern of North Korean cryptocurrency operations.

Nick Smart and Andrii Sovershennyi

December 8, 2025

+4 contributors

Threat Intelligence45 min read

Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)

Deep dive into the adversary infrastructure, operational security measures, and attribution analysis of the DPRK-linked campaign, revealing infrastructure fingerprints, C2 clusters, and connections to known threat groups.

Yashraj Solanki

November 13, 2025

+4 contributors

Become a Contributor

We're building a community of ransomware defense experts. If you have unique insights, novel workflows, or cutting-edge research to share, we want to hear from you.

Expert recognitionL.O.C.K. S.T.A.R. eligibilityGlobal impactCommunity support

Join the Fight Against Ransomware

Partner with Ransom-ISAC to access high-quality threat intelligence and connect with defenders worldwide.