
Casmer Labs, Cloud Storage Security’s (CSS) internal threat laboratory, monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.
In our Q1 threat report, the Casmer Labs team anticipated continuing growth in popularity of infostealers as well as the resulting increase in infostealer-related cybersecurity incidents.
INTERPOL Takes Down 20,000 Malicious IP Addresses Used by Infostealers
On Wednesday, June 11, the International Criminal Police Organization (INTERPOL) announced that they had dismantled over 20,000 malicious IP addresses and domains that were suspected to be used to receive information from 69 separate infostealer variants. These raids took place between January and April of 2025, resulted in 41 servers seized and 32 physical arrests made. The effort, codenamed “Operation Secure”, was a joint effort between 26 separate countries and their law enforcement agencies.
Figure 1. High-level statistics distributed by INTERPOL.
While Operation Secure was no doubt a success, history suggests that it won’t be long before other servers are spun up and different cybercriminals take their place. In April, Casmer Labs reported an estimated 40% increase in popularity of infostealer development and usage in the 6 months prior. As the global volume of data increases and the price of sensitive information on black markets continues to rise, we maintain that infostealers and other data-centric strains of malware will continue to grow in popularity.
To prevent infection and/or a cybersecurity incident regarding infostealers, Casmer Labs recommends the following:
- Implementing regularly-updated malware scanning on endpoints, networks, applications, local machines, and in the storage layer in the cloud
- Regularly educating employees on social engineering schemes, including phishing
- If possible, configuring schedule-based scanning on all protected layers to catch latent malware as new signatures are added/updated
Cloud Storage Security’s malware protection solution is available in AWS Marketplace, supports all three major cloud providers (AWS/Azure/GCP), is deployed in under 15 minutes, and can be tested for free for 30 days.
Better Call Who Again?
Reported on June 20 by Ravie Lakshmanan, a certain ransomware-as-a-service (RaaS) vendor dubbed Qilin is now presenting customers with the option of legal counsel. Translated by Cybereason from the console itself, “The mere appearance of a lawyer in the chat can exert indirect pressure on the company and increase the ransom amount, as companies want to avoid legal proceedings. The benefits of working with the legal department include:
- Legal assessment of your data;
- Classification of violations in accordance with applicable legal acts in different jurisdictions;
- Legal evaluation of potential damages (including lawsuits, legal costs, reputational risks);
- Ability to conduct direct negotiations between the company and the lawyer;
- Advice on how to inflict maximum financial damage on the company if it refuses to comply (and how to avoid similar situations in the future).”
The popularity of Qilin in recent months is likely correlated to the decline in its competitors; RansomHub, LockBit, Everest, and BlackLock have all recently shut down or lost the favor of customers.
RaaS gangs have long been known to emulate the business practices of legitimate SaaS vendors. Customer support, professional services, financing options, and community forums have been offered by larger RaaS vendors for years. However, legal intimidation is a new threat to victims, showcasing the continuing growth in complexity (and effectiveness) RaaS gangs prioritize in the name of beating their competitors and maximizing profit.
To prevent ransomware attacks from affecting your organization, Cloud Storage Security (CSS) recommends that your organization implements a robust activity monitoring solution that automatically identifies and prevents both internal and external threats. DataDefender by Cloud Storage Security utilizes a combination of traditional anomaly detection, machine learning, and heuristic analysis methods, is able to detect ransomware threats, even from privileged, internal users, alert on the threat, and remove the user’s permissions (if configured) before the breach has completed.
DataDefender by Cloud Storage Security is now accepting applications for the second wave of beta users. Sign up for free by filling out this form.
About Cloud Storage Security
Cloud Storage Security (CSS) offers customers the ability to protect the storage layer in their cloud environments. DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:
- Knows where its sensitive data resides
- Configures their storage resources in a secure manner
- Prevents the ingestion and distribution of malware, including ransomware
- Identifies and stops internal and external attacks against storage, and the data within
The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.
Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.