Ransomware Update – 2025-08-01

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • SafePay Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: The group claims to have breached systems and exfiltrated data, threatening to leak it if the ransom is not paid.
    • Targets: Ingram Micro, a major IT distributor. The group claims to have stolen 3.5TB of data.
    • Decryption Status: No information on decryption; the focus is on a data leak threat.
    • Source: SafePay ransomware threatens to leak 3.5TB of Ingram Micro data; SafePay Claims Ingram Micro Breach, Sets Ransom Deadline.

  • LockBit Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Deployed by the threat actor Storm-2603, which exploits Microsoft SharePoint Server vulnerabilities. The attack chain uses a custom DNS-controlled backdoor and C2 framework called AK47 C2.
    • Targets: Organizations using vulnerable Microsoft SharePoint Server instances.
    • Decryption Status: No new decryption information available.
    • Source: Storm-2603 Deploys DNS-Controlled Backdoor in Warlock and LockBit Ransomware Attacks.

  • DragonForce & Qilin Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: These groups are profiting from the collapse of other ransomware cartels like RansomHub, indicating a consolidation within the cybercrime ecosystem. Both groups actively post new victims on their leak sites.
    • Targets: Recent victims include Framon S.p.A. (manufacturing, by DragonForce) and the Aqaba Special Economic Zone Authority (government, by Qilin).
    • Decryption Status: No known public decryption tools.
    • Source: DragonForce Ransom Cartel Profits Off Rivals’ Demise; Ransomware leak site posts.

  • Incransom Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Primarily data exfiltration followed by extortion, targeting a wide variety of sectors.
    • Targets: Numerous small-to-medium-sized organizations, including a German retail company (Erich Schleich GmbH), a US fiduciary firm (Carolyn M. Young), a US healthcare association (WVPCA), a construction company (whiteconlee.com), and a food company (deliastamales.com).
    • Decryption Status: No known public decryption tools.
    • Source: Multiple ransomware leak site announcements.

  • Everest Group:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion. The group announced a full data leak for one of its victims.
    • Targets: High-profile companies including Mailchimp (marketing automation), Grayscale Investments (digital currency asset management), iPROMOTEu (promotional products), and Crumbl (food industry).
    • Decryption Status: Focus is on data leak extortion, not file encryption/decryption.
    • Source: Multiple ransomware leak site announcements.

Observations and Further Recommendations

  • The ransomware landscape remains highly active, with numerous groups like Incransom, Flocker, and Devman continuously listing new victims from diverse industries and geographic locations. This indicates a broad and opportunistic targeting strategy.
  • A consolidation trend is evident, where the demise of one major group (RansomHub) directly benefits others (DragonForce, Qilin), highlighting the fluid and competitive nature of the ransomware ecosystem.
  • Attack vectors continue to evolve. Threat actors are leveraging sophisticated custom tools, such as the AK47 C2 framework used in LockBit attacks, and exploiting specific software vulnerabilities in products like Microsoft SharePoint and WordPress themes to gain initial access.
  • Organizations should prioritize patch management for critical vulnerabilities, implement multi-factor authentication (MFA) to protect credentials, and enhance network monitoring to detect unusual activity, such as DNS-based C2 communications. Employee training on phishing and social engineering remains crucial.

News Details

  • You Are What You Eat: Why Your AI Security Tools Are Only as Strong as the Data You Feed Them: Just as triathletes know that peak performance requires more than expensive gear, cybersecurity teams are discovering that AI success depends less on the tools they deploy and more on the data that powers them.
  • Storm-2603 Deploys DNS-Controlled Backdoor in Warlock and LockBit Ransomware Attacks: The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.
  • Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies: The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle (AitM) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow.
  • Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials: Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses.
  • N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto: The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.
  • AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals: Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target.
  • UNC2891 Breaches ATM Network via 4G Raspberry Pi, Tries CAKETAP Rootkit for Fraud: The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack.
  • Alert Fatigue, Data Overload, and the Fall of Traditional SIEMs: Security Operations Centers (SOCs) are stretched to their limits. Log volumes are surging, threat landscapes are growing more complex, and security teams are chronically understaffed.
  • Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install: Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites.
  • Pwn2Own hacking contest pays $1 million for WhatsApp exploit: The Zero Day Initiative is offering a $1 million reward to security researchers who will demonstrate a zero-click WhatsApp exploit at its upcoming Pwn2Own Ireland 2025 hacking contest.
  • Kali Linux can now run in Apple containers on macOS systems: Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apple’s new containerization framework.
  • Microsoft to disable Excel workbook links to blocked file types: Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026.
  • Microsoft now pays up to $40,000 for some .NET vulnerabilities: Microsoft has expanded its .NET bug bounty program and increased rewards to $40,000 for some .NET and ASP.NET Core vulnerabilities.
  • CISA open-sources Thorium platform for malware, forensic analysis: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors.
  • Microsoft: Russian hackers use ISP access to hack embassies in AiTM attacks: Microsoft warns that a cyber-espionage group linked to Russia’s Federal Security Service (FSB) is targeting diplomatic missions in Moscow using local internet service providers.
  • Inside a Real Clickfix Attack: How This Social Engineering Hack Unfolds: ClickFix abuses clipboards. FileFix hijacks File Explorer. Both social engineering attacks start in the browser—and end in malware.
  • Spikes in malicious activity precede new security flaws in 80% of cases: Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
  • Proton launches free standalone cross-platform Authenticator app: Proton has launched Proton Authenticator, a free standalone two-factor authentication (2FA) application for Windows, macOS, Linux, Android, and iOS.
  • ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH: A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
  • Hackers target Python devs in phishing attacks using fake PyPI site: The Python Software Foundation warned users this week that threat actors are trying to steal their credentials in phishing attacks using a fake Python Package Index (PyPI) website.
  • SafePay ransomware threatens to leak 3.5TB of Ingram Micro data: The SafePay ransomware gang is threatening to leak 3.5TB of data belonging to IT giant Ingram Micro, allegedly stolen from the company’s compromised systems earlier this month.
  • Hackers actively exploit critical RCE in WordPress Alone theme: Threat actors are actively exploiting a critical unauthenticated arbitrary file upload vulnerability in the WordPress theme ‘Alone,’ to achieve remote code execution and perform a full site takeover.
  • Nintendo’s Switch 2 doubles first-month sales of the original: Nintendo’s financial year is off to a bumper start thanks to explosive sales of its Switch 2 console.
  • The LeapMove is a gamified camera designed to get kids off the couch: LeapFrog has announced a new electronic learning system that swaps controllers for a camera.
  • Apple shipped its 3 billionth iPhone: Apple has been the target of a fair amount of criticism over the past year, from its AI missteps to a strong distaste for its new design ethos. But the numbers don’t lie, and if Apple knows how to do anything it’s sell iPhones.
  • Apple says Trump’s tariffs are adding another $1 billion to its costs: Apple is spending a lot on President Donald Trump’s tariffs. During an earnings call on Thursday, Apple CEO Tim Cook said the duties could add $1.1 billion to its costs during the September quarter.
  • Tim Cook says Apple is ‘open to’ AI acquisitions: Apple CEO Tim Cook says the company is “open” to mergers and acquisitions as it “significantly” increases its investment in AI, as reported by CNBC.
  • Google’s Pixel Tablet is $190 off for a limited time: During the most recent Prime Day, the Google Pixel Tablet with Wi-Fi and 256GB of storage briefly dropped to just $309 ($190 off) — but the deal disappeared in a matter of hours.
  • Reddit wants to be a search engine now: Reddit knows that it has valuable data from actual people — it’s already reached deals with big AI companies like OpenAI and Google to share its data with them.
  • DJI won’t sell you an Osmo 360 in the US — but these retailers will: We knew DJI had a hard time importing its drones into the United States to the point that many shelves have gone bare, but it’s not just drones anymore.
  • The Switch 2 is off to a speedy start for big third-party games: With the Switch 2, Nintendo seems to be closing the release date gap with some of its third-party games.
  • The Epic Games Store is bringing Fortnite back to Google Play: Following an appeals court victory on Thursday, Epic CEO Tim Sweeney tweeted that “the Epic Games Store for Android will be coming to the Google Play Store.”
  • SIEMs: Dying a Slow Death or Poised for AI Rebirth?: The SIEM market is at a pivotal point as XDR platforms and generative AI shake up the security analytics space.
  • Gen Z Falls for Scams 2x More Than Older Generations: Forget gullible old people — Gen Z is the most at-risk age group on the Web.
  • DragonForce Ransom Cartel Profits Off Rivals’ Demise: The fall of RansomHub led to a major consolidation of the ransomware ecosystem last quarter, which was a boon for the DragonForce and Qilin gangs.
  • SafePay Claims Ingram Micro Breach, Sets Ransom Deadline: The ransomware gang claims to have stolen 3.5TB of data, and told the technology distributor to pay up or suffer a data breach.
  • Russia’s Secret Blizzard APT Gains Embassy Access via ISPs: An ongoing AitM campaign by the infamous Moscow-sponsored cyber-threat actor has widened its scope, dropping the dangerous ApolloShadow custom backdoor malware thanks to lawful intercept systems.
  • Koreans Hacked, Blackmailed by 250+ Fake Mobile Apps: A swath of copycat Korean apps are hiding spyware, occasionally leading to highly personal, disturbing extortions.
  • 🏴‍☠️ Devman has just published a new victim : kw.tw: 1000000 USD
  • 🏴‍☠️ Sinobi has just published a new victim : PK Contracting: PK Contracting is a leader in pavement marking services, offering a range of solutions including permanent and temporary markings, pavement marking removal, and polymerized cement surfacing.
  • 🏴‍☠️ Dragonforce has just published a new victim : Framon S.p.A.: FRAMON S.p.A. is an important company that since 1973 is present in the worldwide market as one of the main manufacturing company of non-ferrous casting components for the furniture and lighting industry.
  • 🏴‍☠️ Flocker has just published a new victim : Ieee-apscon.org: To The IEEE Sensors Council We Have Breached APSCON2025 Event And Full Attendees Guest List And Registry System And Global […]
  • 🏴‍☠️ Incransom has just published a new victim : erichschleichgmbh.de: Erich Schleich GmbH is a company that operates in the Sporting & Recreational Equipment Retail industry.
  • 🏴‍☠️ Play has just published a new victim : Thern: United States
  • 🏴‍☠️ Qilin has just published a new victim : www.afmco.jo: ABOUT THE AQABA SPECIAL ECONOMIC ZONE AUTHORITY (ASEZA) The Aqaba Special Economic Zone Authority plays a leading role at the administrative and governmental level in the Hashemite Kingdom of Jordan…
  • Scammers Unleash Flood of Slick Online Gaming Sites: Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players.