A new ransomware operation known as Kyber has emerged. Their first and current only posted victim is L3Harris, a major defense contractor in the United States.

The operators have provided a timer that ends around 6 PM EST on Sunday, October 19. The group claims to have stolen over 300 GB of data, including source code for VCS21 (Voice Communication Systems for the 21st Century), various Microsoft Access database files (.mdb), and what appears to be an entire GitHub repository related to ‘LS3’, which isn’t a product or service provided by L3Harris that we could find. However, the sample data provided resembles what a GitHub directory would look like, .git and .vscode files included.

L3Harris operates in all domains: space, air, land, sea, cyber, and various systems that cover multiple domains. They create software, cyber, and robotic solutions, electronic warfare, missile and missile warning systems, autonomous systems, and copious other defense-related solutions specifically pertaining to communications between these systems. Source code leaks of any of these could pose a national security threat, among other things, but we’re waiting for the countdown to see what this group will do to make any assumptions.

Aside from a malware sample of the ransomware encryptor, nothing is known about Kyber at the time of writing. We’ve published all known technical information and everything else on our Ransomware Tracker entry for Kyber, located here:

https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/kyber

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dan0n

The dAn0n Hacker Group, or dAn0n, was first observed in the Spring of 2024. They posted their first victim on their simultaneous dark web and clear net data leak site on March 26. The dAn0n group is often lumped in with other ransomware groups, but there's no evidence they ever deployed a ransomware encryptor (crypto-ransomware). The only evidence of their operations comes from their victims and any information they provide. Based on their own data and admissions, they only stole, extorted, and sold data, which we refer to as Data Brokers.

The most interesting aspect of the dAn0n operation was their quiet approach, but loud extortion techniques. There isn't too much research on their tactics and techniques, but the manner in which they extorted victims on their data leak sites was overtly verbose. For example, each victim publication included a "Status" GUI that tracked the extortion chain. The most observed Status process was six steps:

1. Setting a deadline of X hours (usually 180 or 240)
2. Informing leadership team
3. Informing insurance company
4. Refuse of the deal
5. Informing clients and partners
6. Informing regulatory authorities

Their M.O. was to inform just about everyone to coerce victims into payment. After publishing 19 victims, they suddenly ceased operations in late August of the same year. Although they didn't utilize an encryptor in this operation, this group reappeared in 2025 as White Lock, which did use a traditional crypto-ransomware.

The UK has taken one of the most decisive steps yet in the global fight against ransomware. Following a summer of attacks that disrupted healthcare, retail, and legal services, the government has confirmed that a targeted ban on ransom payments and a universal reporting requirement will become law.

What the Policy Includes

• Ban on ransom payments: Public sector organisations and operators of Critical National Infrastructure (CNI) will be prohibited from paying ransoms. The NHS alone has faced over 1,300 attempted ransomware intrusions in the past 12 months, according to government data.
   
• Mandatory reporting: All UK organisations will need to report ransomware incidents to a new central body. This addresses a long-standing visibility gap only around 20–25% of ransomware attacks are currently reported, according to Europol.

Why This Matters Now

The policy follows a summer in which:
- Marks & Spencer had online retail operations disrupted for months.
- NHS Scotland had patient appointment data temporarily inaccessible.
- The Legal Aid Agency confirmed the theft of over 250,000 case records.

These cases highlight the dual impact of ransomware: direct operational downtime and longer-term trust erosion.

Part of a Global Trend

The UK’s measures align with global efforts under the Counter Ransomware Initiative (CRI), a coalition of 48 countries. The CRI’s 2024 report estimated ransomware caused over $30 billion in global economic losses annually. Unlike the US, which currently discourages but does not ban ransom payments, the UK is moving toward outright prohibition for its most vital services.

What Organisations Must Do

With ransom payment off the table, resilience becomes the only option. The National Cyber Security Centre (NCSC) recommends:
- Multi-Factor Authentication (MFA), which blocks 99.9% of credential-based attacks.
- Offline, immutable backups, tested regularly.
- Security awareness training, especially against phishing (still the entry point in over 60% of ransomware incidents).
- Incident response exercises aligned with NCSC guidance.

The ransomware economy thrives on secrecy and silence. The UK’s new measures end both.