In this episode of The Dark Dive we check in on the ransomware landscape, following major developments identified by the Searchlight Cyber threat intelligence team.

Luke Donovan, Head of Threat Intelligence at Searchlight Cyber, shares trends that his team has identified from the dark web in 2025 including: an escalation in the number of ransomware attacks, more than 35 new ransomware groups emerging, and alarming new tactics for vulnerability exploitation and victim extortion.

This episode also features the famous Searchlight "Top Five Ranking" of ransomware groups, discussion of why LockBit has disappeared from the list, and advice for private sector and government cybersecurity professionals in a hostile ransomware landscape.

Further reading:

- The report discussed throughout the episode, "An Escalation in Attacks: The Ransomware Landscape in H1 2025": https://www.slcyber.io/whitepapers-reports/an-escalation-in-attacks-the-ransomware-landscape-in-h1-2025/

- Our dedicated podcast on the recent hack of LockBit, "A Deep Dive Into The LockBit Data Leaks" (mentioned at 30.00): https://slcyber.io/podcasts/a-deep-dive-into-the-lockbit-data-leaks/

- Our previous ransomware report where we predicted Akira as a group to watch, "More Groups, More Problems: Ransomware in 2023" (mentioned at 32.49): https://slcyber.io/whitepapers-reports/ransomware-in-2023/

- Our previous podcast episode on Qilin's attack on the UK's National Health Service, "The Qilin Ransomware Group vs The National Health Service" (mentioned 34.35): https://slcyber.io/podcasts/the-qilin-ransomware-group-vs-the-national-health-service/

- The ransomware report we released at the beginning of this year, where RansomHub featured no.1, "Same Game, New Players: Ransomware in 2025" (mentioned 36.35): https://slcyber.io/whitepapers-reports/same-game-new-players-ransomware-in-2025/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

X: www.twitter.com/SLCyberSec

Weekly newsletter: www.slcyber.io/beacon/

On May 7th, 2025 the notorious ransomware group LockBit’s dark web leak site displayed an unusual message: “Don’t do crime, crime is bad xoxo from Prague”. Alongside this text was the link to an archive file, containing data that appeared to have been stolen from the LockBit ransomware group itself.

In this month's episode of The Dark Dive, members of the Searchlight Cyber threat intelligence team share what they learned by downloading and analysing the files. They share insights into the "Lite" version of LockBit's Ransomware-as-a-Service scheme captured in the data, what we learnt about the 76 affiliate hackers caught up in the data leak, and from the 208 victim negotiations.

Juicy details include the range of payments that the hackers demand from their victims, unexpected conversations in the negotiation chats, and the deliberate targeting of Chinese enterprises.

Further reading:

- Previous episode of The Dark Dive on LockBit - "The LockBit TakeDown" (Discussed at 01.20): https://slcyber.io/podcasts/the-lockbit-takedown/

- Listen to previous episode of The Dark Dive - "Ransomware Groups on the Dark Web" - for more information on Ransomware-as-a-Service schemes (Discussed from 01.50 onwards): https://slcyber.io/podcasts/ransomware-gangs-on-the-dark-web/

- The episode of The Dark Dive that covers TOX and other messaging applications - "Encrypted Communication Apps: From Telegram to EncroChat" (Discussed at 10.20) : https://slcyber.io/podcasts/encrypted-communication-apps-from-telegram-to-encrochat/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

X: www.twitter.com/SLCyberSec

Weekly newsletter: www.slcyber.io/beacon/

This month's episode of The Dark Dive revisits the topic of Attack Surface Management. In particular, how it relates to a relatively new cybersecurity term, CTEM: Continuous Threat Exposure Management.

In a lively discussion, guests Michael Gianarakis and Ben Jones help define CTEM, a security process that has quickly gained traction thanks to being championed by the analyst firm Gartner. They debate what CTEM adds to cybersecurity, how it builds on previously established concepts, and where ASM and threat intelligence play a role in the process.

Along the way, Michael and Ben give practical advice for how organizations should be implementing CTEM, including common pitfalls to avoid and ways that security teams can measure the success and maturity of their CTEM program.

This episode ties in with the new e-book published by Searchlight Cyber, "ASM in the age of CTEM", which you can download here for free: https://slcyber.io/ebooks/asm-in-the-age-of-ctem/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

X: www.twitter.com/SLCyberSec

Weekly newsletter: www.slcyber.io/beacon/

This month's episode of The Dark Dive tackles the thorny issue of hacktivism: hackers that are driven by ideological - rather than financial - motivations.

Threat intelligence experts Luke Donovan and Vlad join the podcast to discuss how hacktivism has evolved from the "digital utopia" era, to the anti-establishment antics of Anonymous, to the state-aligned activities we observe today.

Along the way, we cover the defining tenets of modern day hacktivist groups, including their targets, tactics, and use of Telegram to promote their attacks and causes. We also discuss how hacktivism has escalated from acts of protest and defacement to more sophisticated attacks, including the use of ransomware.

Further reading:

- "Hacking in the Name Of", article on the history of hacktivism authored by Diana Selck-Paulsson in The Hacker News (discussed at 04:30): https://thehackernews.com/expert-insights/2025/02/hacking-in-name-of.html

- "Encrypted Communication Apps: From Telegram to EncroChat" our podcast episode on Telegram and other messaging apps (discussed at 25:27): https://slcyber.io/podcasts/encrypted-communication-apps-from-telegram-to-encrochat/

- "The Rise of the Hacktivist Supergroup", previously published threat intelligence from Vlad on hacktivist group team-ups (discussed at 36:45): https://techinformed.com/the-rise-of-the-hacktivist-supergroup/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

This bumper episode of The Dark Dive features no fewer than four co-founders, as the CEO and CTO of Searchlight Cyber (Ben Jones and Gareth Owenson) are joined by their counterparts from the Attack Surface Management company Assetnote (Michael Gianarakis and Shubham Shah).

Together, we discuss the background of Assetnote and origins of its founders in the offensive security and bug bounty world, the rationale behind the Searchlight Cyber's recent acquisition of Assetnote, and the fundamentals of Attack Surface Management (ASM).

We take a deep dive into the tenets of Attack Surface Management, including viewing ASM as a process rather than a technology, nuances in the ASM market, and the role of vulnerability research.

Further reading:

• Press release on Searchlight Cyber's acquisition of Assetnote (discussed 12:00 - 21:34): https://slcyber.io/press/searchlight-cyber-acquires-assetnote/
• Visit the Assetnote Security Research Center for the most recent vulnerability research from Assetnote (discussed 35:32 - 42:33): https://slcyber.io/assetnote-security-research-center/
• Assetnote's ServiceNow vulnerability research (discussed 37:40 - 38.35): https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data
• Assetnote's Citrix Bleed vulnerability research (discussed 41.06 - 42.33): https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
• Visit this page more information on the Assetnote Attack Surface Management platform: https://slcyber.io/dark-web-security-products/attack-surface-management-tool/
• For more insights from the Assetnote co-founders on Attack Surface Management check out their own podcast, Surfacing Security: https://youtu.be/LEcFfC6OrYk?feature=shared

Want to find out more or have a suggestion for future podcast episodes?

• Email: thedarkdive@slcyber.io
• Website: www.slcyber.io
• LinkedIn: www.linkedin.com/company/searchlight-cyber
• X: www.twitter.com/SLCyberSec
• Weekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we look at how specific individuals - Executives, VIPs, and high-net worths - are targeted by cybercriminals and on the dark web.

Ahead of the launch of their Digital Footprint Review service, NCC Group's Matt Hull joins us to discuss the threats facing individuals - including social engineering and Business Email Compromise (BEC) - and how these can be mitigated by auditing your personal online presence and monitoring the dark web.

Meanwhile Searchlight Cyber's Ben Jones explains the threats facing individuals from the dark web - from doxxing to physical threats - and shares his own experiences as an executive of being the target of CEO Fraud.

Visit www.nccgroup.com for more information on the NCC Group and resources for on securing your digital footprint.

Marsh McLennan research report mentioned 15.38: https://slcyber.io/whitepapers-reports/the-correlation-between-dark-web-exposure-and-cybersecurity-risk/.

Want to find out more or have a suggestion for future podcast episodes?

• Email: thedarkdive@slcyber.io
• Website: www.slcyber.io
• LinkedIn: www.linkedin.com/company/searchlight-cyber
• X: www.twitter.com/SLCyberSec
• Weekly newsletter: www.slcyber.io/beacon/

In the first episode back of the year we've assembled two of Searchlight Cyber's threat intelligence experts to give their take on what we can expect from the dark web in 2025.

Louise Ferrett and Luke Donovan say what they think 2024 will be remembered for, choose one news story that might have gone under the radar, and (are forced into) making a prediction for a year ahead.

Along the way we discuss the fragmentation of the cybercrime landscape, how law enforcement upped their takedown game last year, and the priorities for cybersecurity professionals in 2025.

You can download Searchlight Cyber's report "Same Game, New Players: Ransomware in 2025" (discussed from 21.45) here: https://slcyber.io/whitepapers-reports/same-game-new-players-ransomware-in-2025/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

X: www.twitter.com/SLCyberSec

Weekly newsletter: www.slcyber.io/beacon/

In this episode of The Dark Dive we're looking at a particular type of malware called Information Stealers or "infostealers". This malware is designed to (you guessed it!) steal information from infected devices.

Threat Intelligence Engineers Rob Fitzsimons and Joe Honey discuss exactly how infostealers work, why this malware has become so prolific, and where it can be spotted on the dark web.

During the episode we cover the differences between different strains of infostealer, recent law enforcement action that has succeeded in taking infostealers offline, and how organizations should be protecting themselves.

You can download Searchlight Cyber's infostealer report (discussed 26.53 - 29.40) here: https://slcyber.io/whitepapers-reports/infostealer-identified/

And find more information on Operation Magnus (discussed 38.18 - 47.06) here: https://www.operation-magnus.com/

Want to find out more or have a suggestion for future podcast episodes?

Email: thedarkdive@slcyber.io

Website: www.slcyber.io

LinkedIn: www.linkedin.com/company/searchlight-cyber

X: www.twitter.com/SLCyberSec

Weekly newsletter: www.slcyber.io/beacon/