UK Legal Aid Agency probes cyber incident amid retail ransomware wave

The Legal Aid Agency (LAA), part of the UK Ministry of Justice, is investigating a cyber incident that may have exposed financial data linked to legal aid providers. In a letter sent to law firms, the LAA warned that attackers might have accessed payment details, though no data breach has been confirmed. The LAA oversees billions in legal funding and contracts around 2,000 legal aid providers in England and Wales.

The UK’s National Crime Agency and National Cyber Security Centre are assisting the investigation. The incident comes amid a wave of ransomware attacks targeting British retailers, including Co-op, Harrods, and Marks & Spencer—claimed by the DragonForce ransomware gang using Scattered Spider tactics.

With VPN access restricted at Co-op and Harrods limiting internet access, UK cyber authorities have issued new guidance and warned that these attacks should be a wake-up call for businesses to harden their defences.

DDoS attacks skyrocket 358% YoY in Q1 2025, Germany most targeted

Cloudflare’s Q1 2025 DDoS Threat Report reveals a 358% year-on-year surge in Distributed Denial of Service (DDoS) attacks, with 20.5 million recorded globally. Germany was the most targeted country, followed by Turkey and China, while Hong Kong topped the list of attack sources.

Notably, Cloudflare blocked more DDoS attacks in Q1 2025 than during all of 2024, including over 700 hyper-volumetric incidents exceeding 1 Tbps or 1 Bpps. One attack peaked at a record-breaking 4.8 Bpps.

The gaming, telecom, and cybersecurity sectors were among the hardest hit, while attacks often originated from botnets like Mirai. SYN floods and DNS floods were the top methods, with CLDAP and ESP amplification attacks rising over 2,000%.

Despite media focus on massive attacks, 99% of Layer 3/4 and 94% of HTTP floods were “small” but still effective. The report stresses the need for constant, automated mitigation to defend against this growing threat.

Phishing campaign spoofs TAP Air Portugal after blackout disrupted Iberia

Following a major power outage across Spain, Portugal, and parts of Europe at the end of April, opportunistic threat actors launched a phishing campaign spoofing TAP Air Portugal to exploit travellers affected by flight delays. Emails targeting Portuguese and Spanish speakers claimed victims were eligible for compensation, linking to phishing pages designed to steal personal and payment data.

The messages, sent via compromised WordPress sites, cited the EU’s Air Passenger Rights Regulation and promised refunds within two days. However, Cofense Intelligence warned that the embedded links directed users to fraudulent forms harvesting sensitive details.

Subject lines varied by language—“Atualização de compensação” in Portuguese and “Compensación por su vuelo” in Spanish. The campaign highlights how cybercriminals weaponise real-world crises to drive social engineering attacks.

Authorities have ruled out cyberattack as the cause of the blackout, but the incident remains under investigation. Users are urged to stay vigilant and avoid clicking unsolicited links, especially during disruptive events.

West Lothian Council hit by suspected ransomware attack on education network

West Lothian Council has confirmed it is dealing with a suspected criminal ransomware cyberattack targeting its education network. The incident, which began on 6 May, is under active investigation in coordination with Police Scotland, the Scottish Government, and external agencies.

So far, there is no evidence that personal or sensitive data has been accessed, and the council has assured the public that its corporate and public access networks remain unaffected. Contingency plans have been activated to minimise disruption to schools, which remain open, with SQA exams proceeding as scheduled.

The education network has been isolated while IT teams work to restore affected systems. The council operates 133 schools, including 13 secondary schools, and has emphasised that pupils sitting National 5s and Highers will not be impacted.

Officials praised the swift support received from partner organisations and reassured residents that services continue with minimal disruption.

South African Airways hit by cyberattack, launches investigation

South African Airways (SAA) has confirmed a significant cyberattack disrupted its operations on 3 May, affecting its website, mobile app, and internal systems. The airline swiftly activated disaster recovery protocols, restoring key services the same day and maintaining flight and customer service continuity throughout.

SAA described the attack as a serious incident and has engaged independent digital forensic experts to investigate the breach’s cause and scope. It is also assessing whether any data was accessed or exfiltrated, pledging to inform affected individuals if necessary.

The cyberattack adds to a rising wave of incidents across South Africa. Recent victims include mobile providers MTN and Cell C. According to ESET, the country accounts for over 40% of ransomware attacks and nearly 35% of infostealer incidents in Africa.

SAA has reported the breach to the State Security Agency and the Information Regulator, reinforcing its commitment to regulatory compliance and consumer data protection.

LockBit ransomware gang suffers major breach after affiliate panel defaced and leaked

The LockBit ransomware gang has suffered another major blow after its dark web affiliate panel was defaced and a link to a MySQL database dump was published. Panels now display the message, “Don’t do crime CRIME IS BAD xoxo from Prague,” alongside a download for "paneldb_dump.zip." The exposed SQL file reveals bitcoin wallet data, victim negotiation chats, and even 75 affiliate usernames and plaintext passwords like “Weekendlover69” and “Lockbitproud231.”

Among the 20 database tables are lists of attack builds, target company names, and server configurations. BleepingComputer’s analysis shows the leak occurred around 29 April 2025, though the identity of the attacker remains unknown. The message matches a previous defacement of Everest ransomware’s site, hinting at a possible connection.

The breach follows 2024’s Operation Cronos, which dismantled much of LockBit’s infrastructure. While LockBit recovered then, this new incident further tarnishes the gang’s reputation and raises questions about its long-term survival.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.