Ransomware Update – 2025-07-31

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • FunkSec:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Ransomware encryption. The group emerged in late 2024 and has since gone dormant.
    • Targets: General victims (172 claimed).
    • Decryption Status: Possible. A free decryptor has been publicly released by security researchers.
    • Source: “FunkSec Ransomware Decryptor Released Free to Public After Group Goes Dormant”

  • Gunra:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Evolved with a new Linux variant to become cross-platform (Windows/Linux). It uses sophisticated, multithreaded encryption.
    • Targets: Windows and Linux systems.
    • Decryption Status: No known method.
    • Source: “Nimble ‘Gunra’ Ransomware Evolves With Linux Variant”

  • SafePay:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data exfiltration and extortion. The group is threatening to leak 3.5TB of data allegedly stolen from its victim.
    • Targets: IT distribution giant Ingram Micro.
    • Decryption Status: Not applicable (data extortion threat).
    • Source: “SafePay ransomware threatens to leak 3.5TB of Ingram Micro data”

  • Incransom:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data breach and extortion. Claims to have exfiltrated 1.2TB from Dollar Tree and 100Gb from Family Service League.
    • Targets: Retail (Dollar Tree), non-profit (Family Service League), and the Canadian town of Devon.
    • Decryption Status: No known method.
    • Source: Ransomware Leak Site Publication

  • Blackbyte:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data breach and extortion.
    • Targets: Multiple industries, including pharmaceutical packaging (DARA Pharma), real estate (Lee & Associates), tech manufacturing (Cpat Flex), and mortgage services (Towne Mortgage).
    • Decryption Status: No known method.
    • Source: Ransomware Leak Site Publication

  • Beast:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data breach and extortion across a wide variety of sectors.
    • Targets: A diverse list of victims including a school district, real estate firms, a city government, law firms, architects, and engineering consultants.
    • Decryption Status: No known method.
    • Source: Ransomware Leak Site Publication

  • Qilin:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data breach and extortion.
    • Targets: Victims in financial services (Promociones y Cobranzas Beta), luxury goods (tissot.com), and food manufacturing (Custom Food Ingredients).
    • Decryption Status: No known method.
    • Source: Ransomware Leak Site Publication

  • Other Leak Site Activity:

    • New Encrypted File Extension: Not specified for any of the following.
    • Attack Methods: All groups claim data exfiltration and threaten to publish stolen information.
    • Targets:
      • Flocker: Targeted G*n.com and a Taiwanese university.
      • Everest: Targeted Russian game developer Bitbox.
      • Global: Targeted German door manufacturer RUKU Tore – Türen.
      • J: Targeted restiani.com and French manufacturer gimaex.com.
      • Lynx: Targeted Tooling Systems Group.
      • Sinobi: Targeted engineering and manufacturing firms (Built Environment Engineers, Mid West Fabricating, KMDI).
    • Decryption Status: No known methods.
    • Source: Ransomware Leak Site Publications

Observations and Further Recommendations

  • A significant volume of activity involves ransomware groups publicly announcing victims on their leak sites, indicating a continued focus on data exfiltration and “double extortion” tactics.
  • Ransomware continues to evolve technically. The Gunra group, for example, has developed a Linux variant to expand its attack surface beyond Windows systems.
  • The cybersecurity community achieved a notable success with the release of a free decryptor for the FunkSec ransomware, allowing victims to recover their files after the threat group went dormant.
  • Given the emphasis on data theft, organizations should prioritize robust data backup and recovery plans, network segmentation, and security measures to prevent initial unauthorized access.

News Details

  • UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud: The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack.
  • Alert Fatigue, Data Overload, and the Fall of Traditional SIEMs: Security Operations Centers (SOCs) are stretched to their limits. Log volumes are surging, threat landscapes are growing more complex, and security teams are chronically understaffed.
  • Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install: Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8.
  • Hackers Use Facebook Ads to Spread JSCEAL Malware via Fake Cryptocurrency Trading Apps: Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data such as credentials and wallets.
  • FunkSec Ransomware Decryptor Released Free to Public After Group Goes Dormant: Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free. “Because the ransomware is now considered dead, we released the decryptor for public download,” Gen Digital researcher Ladislav Zezula said.
  • Product Walkthrough: A Look Inside Pillar’s AI Security Platform: In this article, we will provide a brief overview of Pillar Security’s platform to better understand how they are tackling AI security challenges. Pillar Security is building a platform to cover the entire software development and deployment lifecycle with the goal of providing trust in AI systems.
  • Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome: Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month.
  • Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits: Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices.
  • Chinese Firms Linked to Silk Typhoon Filed 15+ Patents for Cyber Espionage Tools: Chinese companies linked to the state-sponsored hacking group known as Silk Typhoon (aka Hafnium) have been identified as behind over a dozen technology patents, shedding light on the shadowy cyber contracting ecosystem and its offensive capabilities.
  • Google Launches DBSC Open Beta in Chrome and Enhances Patch Transparency via Project Zero: Google has announced that it’s making a security feature called Device Bound Session Credentials (DBSC) in open beta to ensure that users are safeguarded against session cookie theft attacks.
  • Hackers Exploit SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware: Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025.
  • Scattered Spider Hacker Arrests Halt Attacks, But Copycat Threats Sustain Security Pressure: Google Cloud’s Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses.
  • ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH: A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
  • Hackers target Python devs in phishing attacks using fake PyPI site: The Python Software Foundation warned users this week that threat actors are trying to steal their credentials in phishing attacks using a fake Python Package Index (PyPI) website.
  • SafePay ransomware threatens to leak 3.5TB of Ingram Micro data: The SafePay ransomware gang is threatening to leak 3.5TB of data belonging to IT giant Ingram Micro, allegedly stolen from the company’s compromised systems earlier this month.
  • Hackers actively exploit critical RCE in WordPress Alone theme: Threat actors are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the WordPress theme ‘Alone,’ to achieve remote code execution and perform a full site takeover.
  • Hackers plant 4G Raspberry Pi on bank network in failed ATM heist: The UNC2891 hacking group, also known as LightBasin, used a 4G-equipped Raspberry Pi hidden in a bank’s network to bypass security defenses in a newly discovered attack.
  • Apple patches security flaw exploited in Chrome zero-day attacks: Apple has released security updates to address a high-severity vulnerability that has been exploited in zero-day attacks targeting Google Chrome users.
  • New Lenovo UEFI firmware updates fix Secure Boot bypass flaws: Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface).
  • AI Cuts vCISO Workload by 68% as Demand Skyrockets, New Report Finds: AI is reshaping vCISO services—and SMBs are fueling the surge. Cynomi’s 2025 report shows 3x adoption growth and major workload drops as MSPs and MSSPs scale cybersecurity like never before.
  • Minnesota activates National Guard after St. Paul cyberattack: Minnesota Governor Tim Walz has activated the National Guard in response to a crippling cyberattack that struck the City of Saint Paul, the state’s capital, on Friday.
  • Russian airline Aeroflot grounds dozens of flights after cyberattack: Aeroflot, Russia’s flag carrier, has suffered a cyberattack that resulted in the cancellation of more than 60 flights and severe delays on additional flights.
  • DJI’s first 360-degree camera can continuously capture 8K footage for over 100 minutes: DJI has announced the company’s first 360-degree action camera designed to compete with the Insta360 X5 and the aging GoPro Max. The new DJI Osmo 360 slightly edges out the X5’s recording capabilities by capturing 8K videos at 50fps instead of 30fps.
  • Uber Eats is adding AI to menus, food photos, and reviews: The menus on your next Uber Eats order may be embellished using generative AI. The food delivery service is rolling out new features that aim to help businesses advertise and communicate with customers, which include AI additions to menu descriptions, food photos, and review summaries.
  • Hey Microsoft, is it ‘Xbox PC’ or ‘Xbox on PC’?: Microsoft first started using the “Xbox PC” term in a blog post announcing the Gears of Wars remaster in early May. It was a new branding effort designed to signal that games are available on PC through its own Xbox PC app and store.
  • Meta is playing the AI game with house money: Mark Zuckerberg’s AI hiring spree is costing a lot of money. His investors don’t care. Meta’s stock price shot up over 10 percent on Wednesday after the company reported better-than-expected earnings.
  • All of your international packages are about to get more expensive: President Donald Trump signed an executive order on Wednesday that will suspend the de minimis exemption — which allows packages with goods valued less than $800 to enter the US duty-free — for all countries.
  • Spotify’s terrible privacy settings just leaked Palmer Luckey’s bops and bangers: Have you ever wondered what bops powerful figures are listening to on Spotify? You’d be amazed what you can get with a profile search – but just in case you want them all in one place, there’s the Panama Playlists, a newly published collection of data on the musical listening habits of politicians, journalists, and tech figures.
  • Microsoft reports strong cloud earnings, with Windows and Xbox up too: Microsoft just posted the fourth and final quarter of its 2025 fiscal financial results. The software maker made $76.4 billion in revenue and a net income of $27.2 billion during Q4. Revenue is up 18 percent, and net income has increased by 24 percent.
  • 8BitDo’s wireless Nintendo 64 controller is now available: Analogue’s 4K remake of the Nintendo 64 has been delayed again and again due to the US tariff situation. But at least you can get 8BitDo’s updated take on the N64 controller, which was announced alongside the Analogue 3D, while you wait.
  • Layoffs hit CNET as its parent company goes on a buying spree: Ziff Davis, the media conglomerate that owns outlets like CNET, ZDNet, PCMag, and Mashable is laying off 15 percent of its unionized workforce, for a total of 23 people. The majority of layoffs are coming from CNET, where 19 people will lose their jobs.
  • Dropbox is shutting down its password manager: Dropbox is discontinuing its password manager. The tool, Dropbox Passwords, will be discontinued on October 28th, and the company is recommending that you transfer your passwords to another app like 1Password ahead of that date.
  • Koreans Hacked, Blackmailed by 250+ Fake Mobile Apps: A swath of copycat Korean apps are hiding spyware, occasionally leading to highly personal, disturbing extortions.
  • Palo Alto Networks Grabs IAM Provider CyberArk for $25B: The deal shakes up the identity and access management landscape and expands Palo Alto Networks’ footprint in the cybersecurity market.
  • Silk Typhoon Linked to Powerful Offensive Tools, PRC-Backed Companies: An unsealed indictment associated with the Chinese threat group shows its members worked for companies closely aligned with the PRC as part of a larger contractor ecosystem.
  • The CrowdStrike Outage Was Bad, but It Could Have Been Worse: A year after the largest outage in IT history, organizations need to make an active effort to diversify their technology and software vendors and create a more resilient cyber ecosystem moving forward.
  • ChatGPT, GenAI Tools Open to ‘Man in the Prompt’ Browser Attack: A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others.
  • African Orgs Fall to Mass Microsoft SharePoint Exploits: The National Treasury of South Africa is among the half-dozen known victims in South Africa — along with other nations — of the mass compromise of on-premises Microsoft SharePoint servers.
  • Nimble ‘Gunra’ Ransomware Evolves With Linux Variant: The emerging cybercriminal gang, which initially targeted Microsoft Windows systems, is looking to go cross-platform using sophisticated, multithread encryption.
  • 🏴‍☠️ Flocker has just published a new victim : Gn.com: For The Board Of Gn Group We have breached your Main system and exfiltrated backup copy of all the data.
  • 🏴‍☠️ Flocker has just published a new victim : Hu.iv.tw: To The Leadership Of National C***i University We Compromised The Department Of Statistics conducted research on data matrix visualization and […]
  • 🏴‍☠️ Incransom has just published a new victim : Devon: Devon, April 21, 2013 – Tim Horton’s Devon helps make the Great Devon Trash Bash a smash! The Great Devon Trash Bash, formerly called the Community Clean Up, is this Sunday, April 21st.
  • 🏴‍☠️ Qilin has just published a new victim : PDC www.cobranzasbeta.com.co: Promociones y Cobranzas Beta was created in 1987 as a collection unit of the then Banco Superior, which was acquired by Davivienda in 2006.
  • 🏴‍☠️ Everest has just published a new victim : Bitbox: [AI generated] Bitbox is a technology company that specializes in creating video games. It was founded in 2010 and is headquartered in Russia.
  • 🏴‍☠️ Incransom has just published a new victim : fsl.org: Originally founded in Huntington in 1926 as a social service agency, Family Service League (FSL) has grown substantially since then to provide the support and security more than 60,000 Long Islanders rely on every day.
  • 🏴‍☠️ Global has just published a new victim : RUKU Tore – Türen: RUKU Tore + Türen GmbH Ein junges, modernes Unternehmen mit langer Tradition Unser Name RUKU steht seit über 160 Jahren für höchste Qualität und Erfahrung in der Holzverarbeitung.
  • 🏴‍☠️ J has just published a new victim : restiani.com: [AI generated] N/A
  • 🏴‍☠️ Lynx has just published a new victim : Tooling Systems Group: Advanced Tooling Systems (ATS)
  • 🏴‍☠️ Blackbyte has just published a new victim : DARA Pharma: Dara Pharmaceutical designs, develops, and manufactures packaging equipment for washing, sterilizing, filling, freeze-drying, and closing machines for vials, bottles, syringes, cartridges, and IV Bags to process liquid, semi-solid products, and powders in sterile conditions.
  • 🏴‍☠️ Blackbyte has just published a new victim : Lee & Associates: In 1979, Bill Lees vision became reality when he opened the first office of Lee & Associates in Orange County, California.
  • 🏴‍☠️ Blackbyte has just published a new victim : Cpat Flex: CPAT FLEX provides innovative ingress and leakage detection solutions specifically designed for Hybrid Fiber-Coaxial (HFC) networks.
  • 🏴‍☠️ Blackbyte has just published a new victim : Towne Mortgage: Founded in 1982, The Towne Mortgage Family of Companies has more than 40 years of experience in the mortgage industry.
  • 🏴‍☠️ Incransom has just published a new victim : Dollar Tree: Dollar Tree, a Fortune 200 Company, operated 16,774 stores across 48 states and five Canadian provinces as of February 3, 2024.
  • 🏴‍☠️ J has just published a new victim : gimaex.com: [AI generated] Gimaex is a leading French company specializing in the design and manufacturing of fire and rescue vehicles.
  • 🏴‍☠️ Beast has just published a new victim : Winner School District 59-2: Winner is located in south central South Dakota along the Oyate Trail at the crossroads of SD Highway 44 and US Highways 18 & 183.
  • 🏴‍☠️ Beast has just published a new victim : Windsor Realty and Management: Real Estate Windsor Management Corporation is a privately held, full-service commercial real estate company serving New York and Connecticut since 1944.
  • 🏴‍☠️ Beast has just published a new victim : Washington Court House: Washington Court House is a city in Fayette County, Ohio. It is the county seat of Fayette County and is located approximately halfway between Cincinnati and Columbus.
  • 🏴‍☠️ Beast has just published a new victim : Sani-Tech Systems: At Sanitech Systems, we don’t just build compactors-we set the standard. As the original auger compactor manufacturer, we’ve designed a solution that’s smarter, stronger, and more sustainable than traditional hydraulic compactors.
  • 🏴‍☠️ Beast has just published a new victim : PROVAIL: PROVAIL is one of Washington State’s largest, multi-service agencies dedicated to meeting the needs of children, youth, and adults with disabilities who need an integrated, complex set of services to live life according to their own choices.
  • 🏴‍☠️ Beast has just published a new victim : JPS Consulting Engineers: JPS Consulting Engineers is a group of dynamic site, civil and structural engineers based out of Indianapolis, Indiana.
  • 🏴‍☠️ Beast has just published a new victim : Hafnia Law Firm: HAFNIA LAW FIRM specialises in shipping matters, be it by air, land, sea or a combination and we service the industries relative to transport like owners and cargo interests, insurance companies, banks, yards, repairshops and trade houses.
  • 🏴‍☠️ Beast has just published a new victim : Grand Rapids Metrology: GR Metrology is a distributor and service provider specializing in weighing and measuring equipment, offering products and calibrated solutions to manufacturers.
  • 🏴‍☠️ Beast has just published a new victim : El Paso Quality Dentistry: Dental health moves through many stages. Dr. McLaughlin and Dr. Sosa in El Paso, TX offer a range of preventive, cosmetic, & functional care for every age at El Paso Quality Dentistry.
  • 🏴‍☠️ Beast has just published a new victim : De Noordboom: De Noordboom beschikt – naast onze schrijnwerkers met jaren ervaring – eveneens over een eigen ruwbouwteam.
  • 🏴‍☠️ Beast has just published a new victim : Chevalier Machinery: Chevalier Machinery Inc. conducts all manufacturing, R&D, engineering, prototyping, in our 35,000 square foot facility.
  • 🏴‍☠️ Beast has just published a new victim : Campbell Sand & Gravel: Campbell Gravel specializes in providing a wide range of sand, gravel, stone, and landscaping aggregates for various applications in North Battleford, Cochin, and Rabbit Lake.
  • 🏴‍☠️ Beast has just published a new victim : Aseguradora Fortaleza: Aseguradora Fortaleza is a leading Bolivian insurance company and a key subsidiary of Grupo Fortaleza, one of Bolivia’s most prominent financial services conglomerates.
  • 🏴‍☠️ Beast has just published a new victim : Acheson Doyle Partners Architects: Architecture, Engineering & Design – New York, United States Acheson Doyle Partners Architects is a leader in the restoration, rehabilitation and adaptive-reuse of existing buildings.
  • 🏴‍☠️ Beast has just published a new victim : ACMARK: ACMARK s r o is a company that operates in the Repair Services industry. It employs 10to19 people and has 1Mto5M of revenue.
  • 🏴‍☠️ Beast has just published a new victim : 2fORM Architecture: 2fORM Architecture specializes in innovative sustainable architecture, offering design services for residential, commercial, and interior projects.
  • 🏴‍☠️ Sinobi has just published a new victim : Built Environment Engineers: Built Environment Engineers is a mechanical, electrical, and plumbing consulting engineering firm that understands architecture and design.
  • 🏴‍☠️ Sinobi has just published a new victim : Mid West Fabricating: Mid West Fabricating Company, Inc. provides special steel fasteners and formed rods for assembly into automotive and lawn and garden products, as well as various industrial and consumer items.
  • 🏴‍☠️ Sinobi has just published a new victim : KMDI: KMDI is a leading manufacturer and installer specializing in custom architectural fabrications and designs, backed by over 40 years of industry experience.
  • 🏴‍☠️ Safepay has just published a new victim : ingrammicro.com: [AI generated] Ingram Micro is a global technology and supply chain services provider.
  • 🏴‍☠️ Qilin has just published a new victim : tissot.com: TISSOT Industrie is an internationally recognized French company, expert in heavy boilermaking and in the realization of tailor-made industrial projects.
  • 🏴‍☠️ Qilin has just published a new victim : Custom Food Ingredients: Custom Food Group specializes in providing tailored food solutions for a diverse range of clients.
  • Scammers Unleash Flood of Slick Online Gaming Sites: Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players.