Investigating Conti ransomware with Splunk — Digital forensics practitioners are dissecting a detailed case study of a Conti ransomware intrusion investigated using Splunk, tracing the attack from an initial ProxyShell breach through lateral movement, credential theft and final mass encryption across a victim network [Global]. This breakdown gives DFIR teams practical hunting queries and timeline reconstruction techniques they can reuse to detect similar campaigns, validate containment, and brief leadership on how attackers progressed at each stage of the kill chain (Source: Hackers Arise, 20-11-2025).

Obscura ransomware case study exposes backup blind spots — A new analysis of the Obscura ransomware operation documents how victims who rushed to pay still suffered significant data loss because attackers destroyed snapshots and corrupted backups before triggering encryption across the environment [Global]. The case reinforces for incident responders that backup architectures and tabletop-tested recovery runbooks are as critical as perimeter defenses if organisations want to avoid business outages even when extortion demands are met (Source: Security Boulevard, 19-11-2025).

UK guidance renews focus on offline records — A UK business consultancy blog highlights new government and NCSC advice urging organisations to maintain offline, immutable copies of key records as a contingency against destructive cyber attacks [EU]. For DFIR and resilience planners, the push for cold backups and paper-based fallbacks underlines that recovery planning must assume catastrophic loss of cloud and primary storage, not just short-lived ransomware disruption (Source: Morgan Jones, 20-11-2025).

International operation follows $55m crypto piracy trail — Investigators from more than 15 countries, coordinated through Europol, traced around $55 million in cryptocurrency payments flowing through streaming piracy platforms, opening dozens of new probes into large-scale intellectual property crime [EU]. The case illustrates how cross-border data sharing, blockchain analytics and private-sector partnerships are now central to unpicking complex monetisation schemes behind cyber-enabled piracy operations (Source: The Record, 19-11-2025).

West Bengal police tie industrialist to cybercrime ring — An in-depth report details how West Bengal Police spent over a year tracing shell firms, mule accounts and call-centre operations before arresting a close associate of industrialist Pawan Ruia in a multi-crore cyber fraud case [APAC]. The investigation shows how traditional financial forensics, phone-record analysis and cyber tracing converge when organised crime blends corporate fronts with large-scale online scams (Source: The Indian Express, 21-11-2025).

Fake call centre targeting US citizens busted in Navi Mumbai — Indian police raided a Navi Mumbai call centre accused of impersonating US officials, with at least 20 suspects detained after investigators linked the operation to dozens of cyber fraud complaints nationwide [APAC]. For cyber investigators, the case underscores the importance of international victim reporting, telecom data analysis and rapid coordination with foreign agencies when fraud teams in one region focus on victims in another (Source: The New Indian Express, 20-11-2025).

Gainsight breach hits Salesforce customers in new supply-chain attack — Salesforce has warned that a breach at customer-success platform Gainsight allowed attackers to access data from an undisclosed number of Salesforce tenants, in a pattern similar to an earlier Salesloft-related incident [US]. The case highlights how SaaS-to-SaaS trust relationships and third-party access tokens can silently cascade compromise across thousands of organisations, making vendor inventory and least-privilege app access critical for defenders (Source: TechCrunch, 20-11-2025).

New Gainsight hack underscores systemic SaaS exposure — Parallel reporting on the Gainsight incident warns that the compromise may impact close to a thousand companies globally, as attackers leverage access to connected Salesforce instances and other integrated tools [Global]. For DFIR and risk owners, the breach reinforces that supply-chain compromise increasingly arrives via cloud platforms rather than traditional on-prem vendors, demanding continuous reassessment of third-party risk registers and token hygiene (Source: Infosecurity Magazine, 20-11-2025).

Ransomware attack hits LG battery subsidiary — LG Energy Solution has confirmed a ransomware incident affecting one of its overseas sites, with the Akira group claiming to have stolen 1.7TB of sensitive employee and corporate data, though production has reportedly been restored [APAC]. The attack illustrates how industrial and energy-sector suppliers remain prime targets for double-extortion campaigns seeking both operational disruption leverage and rich data sets for secondary monetisation (Source: TechRadar Pro, 20-11-2025).

US law firm faces class action over social-engineering breach — Pillsbury Winthrop Shaw Pittman is facing a proposed class-action lawsuit after a sophisticated social-engineering attack on one user account led to the exposure of extensive personal and financial data for thousands of individuals [US]. The case shows that even when initial access appears limited, legal, regulatory and reputational fallout can be severe if privileged documents or PII are accessible, raising the bar for MFA, lateral-movement controls and breach notification processes in professional services firms (Source: Reuters, 19-11-2025).

Google patches actively exploited Chrome zero-day — Google has shipped an emergency fix for CVE-2025-13223, a type confusion bug in the Chrome V8 engine that its Threat Analysis Group reports is already being exploited in the wild for remote code execution [Global]. With this seventh Chrome zero-day of the year, SOC teams are urged to verify rapid browser patching across Windows, macOS and Linux fleets and watch for suspicious web-driven child processes originating from unpatched environments (Source: HelpNetSecurity, 18-11-2025).

7-Zip CVE-2025-11001 exploited using public PoC — NHS England has warned that CVE-2025-11001 in 7-Zip is now under active exploitation after researchers released a proof-of-concept that abuses symbolic links to achieve arbitrary file writes and potential code execution [Global]. Organisations relying on 7-Zip for archival workflows should treat patching as urgent, review where the tool is embedded in server-side processes, and monitor for suspicious archive extraction activity on high-value systems (Source: The Hacker News, 19-11-2025).

Eurofiber vulnerability exploited to steal sensitive data — Reporting from the Netherlands describes how attackers exploited a security flaw in infrastructure provider Eurofiber to access customer data, prompting emergency patching and incident response across affected networks [EU]. The incident is a reminder that telecom and connectivity providers can become high-impact single points of failure, requiring customers to track upstream vulnerabilities and verify that service-level agreements include transparent security and disclosure obligations (Source: Cyber Press, 19-11-2025).

Threat bulletin flags OpenSSH patches and UK supply-chain risk — A UK-focused threat roundup highlights multi-stage ransomware extortion trends, urgent OpenSSH patching requirements and new assessments of supply-chain weaknesses across critical national infrastructure [EU]. For threat intelligence and vulnerability management teams, the bulletin reinforces the need to align vulnerability prioritisation with real-world exploitation, while stress-testing how third-party outages or compromise would impact service delivery and regulatory obligations (Source: Secarma, 20-11-2025).

Russian hacking suspect arrested on Thai resort island — Thai authorities, acting on an FBI request, have arrested a 35-year-old Russian man on Phuket who is suspected of mounting cyberattacks against US and European government agencies and is now facing extradition proceedings in Bangkok [APAC]. The case underlines how high-value intrusion campaigns can eventually lead to international arrests, with digital forensics, intelligence sharing and travel pattern analysis converging to locate alleged “world-class” hackers far from their home jurisdictions (Source: AP News, 20-11-2025).

Operation Cyber Hawk nets 700+ cyberfraud suspects in Delhi — Under a 48-hour initiative dubbed Operation Cyber Hawk, Delhi Police and their cyber units uncovered a cyberfraud network worth an estimated ₹1,000 crore and detained more than 700 suspected cybercriminals across the city [APAC]. The scale of the crackdown demonstrates how coordinated sweeps, centralised fraud intelligence and pressure on mule-account networks can disrupt large ecosystems of call-centre-style scams rather than just single crews (Source: The Economic Times, 21-11-2025).

Chennai police arrest suspects in ‘digital arrest’ cyber fraud — Police in Chennai have arrested two suspects from Thoothukudi accused of running “digital arrest” scams, where victims are coerced via spoofed law-enforcement calls into remaining under video surveillance while being tricked into transferring large sums of money [APAC]. The arrests show law enforcement responding to an emerging fraud pattern seen across India, and emphasise the need for public-awareness campaigns so victims recognise fake authority tactics before funds are moved irreversibly (Source: DT Next, 20-11-2025).

US, UK and Australia sanction Russian cybercrime infrastructure — The US Treasury, in coordination with the UK and Australia, has imposed sanctions on Russian bulletproof hosting providers and related entities accused of supporting ransomware operations against critical services worldwide [Global]. By freezing assets, restricting services and naming key operators, the move demonstrates how governments are increasingly blending financial sanctions with cyber operations to raise costs for infrastructure providers that shelter criminal ecosystems (Source: US Department of the Treasury, 19-11-2025).

UK Cyber Security and Resilience Bill targets ransomware and legacy risk — A new analysis explains how the UK’s Cyber Security and Resilience Bill will expand NIS-style obligations, forcing managed service providers and critical entities to harden systems, report incidents faster and reduce reliance on outdated technologies that enabled attacks like Synnovis and Jaguar Land Rover [EU]. CISOs should expect more regulatory scrutiny of board-level cyber governance, breach reporting discipline and investment in modernised infrastructure as the bill progresses through Parliament (Source: Fortra, 20-11-2025).

Legal briefing dissects UK incident-reporting and ransomware proposals — Mayer Brown’s commentary on the Cyber Security and Resilience Bill details new incident-reporting timelines, extended sector scope and evolving government thinking on measures to discourage ransomware payments while ensuring rapid disclosure [EU]. Policy and legal teams in regulated sectors should map current playbooks against the draft requirements now, as under-reporting or slow engagement with regulators could soon carry explicit penalties and reputational risk (Source: Mayer Brown, 18-11-2025).

UK bulletin outlines new obligations for managed service providers — NormCyber’s latest threat bulletin explains how proposed UK regulations will require managed security and IT service providers to maintain robust incident-response plans and report significant incidents to the NCSC and regulators within tight 24–72 hour windows [EU]. Compliance leads should assess whether contracts, runbooks and logging architectures are mature enough to support these timelines, particularly where multiple subcontractors participate in service delivery chains (Source: NormCyber, 20-11-2025).

NCSC advisories reinforce respond-and-recover expectations — The UK NCSC’s latest reports and advisories reiterate guidance on responding to cyber attacks, stressing pre-defined playbooks, tested backups and clear communication channels with regulators and law enforcement [EU]. For organisations aligning to NCSC, ISO 27001 or NIST CSF, the material offers practical checklists that can be baked into audit frameworks and incident-response exercises rather than treated as optional best-practice reading (Source: NCSC, 2025).

November Patch Tuesday roundup underscores need for disciplined remediation — CrowdStrike’s November Patch Tuesday analysis highlights critical remote code execution bugs across Microsoft Office and other products, urging security teams to prioritise exploitation-likely vulnerabilities over sheer CVSS scores [US]. Mature compliance programmes can use such vendor analyses to inform risk-based patching SLAs, ensuring audit evidence shows that limited maintenance windows are used to address the most dangerous flaws first (Source: CrowdStrike, 18-11-2025).

Institutional investors warned on escalating cyber risk — A briefing for asset owners notes that familiar attack types are causing ever-larger losses, citing the Jaguar Land Rover breach as an example of how outages can ripple into multi-billion-pound economic shocks [Global]. For boards and risk committees, the message is that cyber resilience controls, tabletop exercises and reporting standards are now central to fiduciary duty, not a niche operational concern delegated entirely to IT teams (Source: Top1000funds, 21-11-2025).