Ransomware Update – 2025-08-02

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Exploiting SonicWall SSL VPN devices, potentially through a zero-day vulnerability on fully-patched systems, to gain initial access for ransomware deployment.
    • Targets: Organizations using SonicWall VPNs. Recently leaked victims include companies in manufacturing, logistics, legal, agriculture, and flooring distribution sectors.
    • Decryption Status: No known method yet.
    • Source: https://thehackernews.com/2025/08/akira-ransomware-exploits-sonicwall-vpns.html

  • Storm-2603 (precursor to Warlock and LockBit):

    • New Encrypted File Extension: Not applicable (this is the threat actor deploying the ransomware).
    • Attack Methods: Exploiting Microsoft SharePoint Server vulnerabilities and deploying a custom backdoor framework named AK47 C2 for command-and-control prior to ransomware deployment.
    • Targets: Organizations with vulnerable Microsoft SharePoint Server instances.
    • Decryption Status: No known method yet for the resulting ransomware attacks.
    • Source: https://thehackernews.com/2025/08/storm-2603-deploys-dns-controlled.html

  • DragonForce & Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: These gangs are reportedly benefiting from the shutdown of rival groups like RansomHub, leading to a consolidation in the ransomware landscape.
    • Targets: Diverse industries. Recent Qilin victims include engineering, environmental services, and a school district. DragonForce recently listed an Italian manufacturing firm.
    • Decryption Status: No known method yet.
    • Source: https://www.darkreading.com/cyber-risk/dragonforce-ransom-cartel-profits-off-rivals-demise

  • SafePay:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration followed by ransom demands with a public deadline, threatening to publish stolen data if payment is not received.
    • Targets: Recently claimed a major breach against technology distributor Ingram Micro and also listed a US-based funeral home.
    • Decryption Status: No known method yet.
    • Source: https://www.darkreading.com/cyberattacks-data-breaches/safepay-claims-ingram-micro-breach-sets-ransom-deadline

  • Medusa:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and publication on their leak site.
    • Targets: Recently listed a school district in Washington (Franklin Pierce Schools) and a US-based coffee corporation (White Coffee Corporation).
    • Decryption Status: No known method yet.
    • Source: Sourced from a ransomware activity monitoring feed.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and publication on their leak site.
    • Targets: Highly active, targeting a wide range of sectors including education (Radford City Schools), healthcare (WVPCA), finance, retail, and real estate.
    • Decryption Status: No known method yet.
    • Source: Sourced from a ransomware activity monitoring feed.

Observations and Further Recommendations

  • The Akira ransomware campaign targeting SonicWall VPNs highlights a critical and ongoing trend of threat actors exploiting edge devices and internet-facing infrastructure for initial access.
  • Ransomware gangs continue to target a diverse and opportunistic range of victims, from major technology distributors (Ingram Micro) and hospitals to smaller entities like school districts, law firms, and local businesses, as seen in the extensive victim lists from groups like Incransom and Akira.
  • Organizations should prioritize the immediate patching of all internet-facing systems, particularly VPNs and firewalls. Enforcing multi-factor authentication (MFA) across all services is crucial to mitigate the risk of attacks that leverage compromised credentials.

News Details

  • Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices: SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. “In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf Labs researcher Julian Tuin said in a report.
  • Cursor AI Code Editor Fixed Flaw Allowing Attackers to Run Commands via Prompt Injection: Cybersecurity researchers have disclosed a now-patched, high-severity security flaw in Cursor, a popular artificial intelligence (AI) code editor, that could result in remote code execution (RCE). The vulnerability, tracked as CVE-2025-54135 (CVSS score: 8.6), has been addressed in version 1.3 released on July 29, 2025.
  • Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts: Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. “The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign,” Proofpoint said in a Thursday report.
  • AI-Generated Malicious npm Package Drains Solana Funds from 1,500+ Before Takedown: Cybersecurity researchers have flagged a malicious npm package that was generated using artificial intelligence (AI) and concealed a cryptocurrency wallet drainer. The package, @kodane/patch-manager, claims to offer “advanced license validation and registry optimization utilities for high-performance Node.js applications.”
  • You Are What You Eat: Why Your AI Security Tools Are Only as Strong as the Data You Feed Them: Just as triathletes know that peak performance requires more than expensive gear, cybersecurity teams are discovering that AI success depends less on the tools they deploy and more on the data that powers them.
  • Storm-2603 Deploys DNS-Controlled Backdoor in Warlock and LockBit Ransomware Attacks: The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.
  • Secret Blizzard Deploys Malware in ISP-Level AitM Attacks on Moscow Embassies: The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle (AitM) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow.
  • SonicWall firewall devices hit in surge of Akira ransomware attacks: SonicWall firewall devices have been increasingly targeted since late July in a surge of Akira ransomware attacks, potentially exploiting a previously unknown security vulnerability, according to cybersecurity company Arctic Wolf.
  • Pi-hole discloses data breach triggered by WordPress plugin flaw: Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin.
  • DragonForce Ransom Cartel Profits Off Rivals’ Demise: The fall of RansomHub led to a major consolidation of the ransomware ecosystem last quarter, which was a boon for the DragonForce and Qilin gangs.
  • SafePay Claims Ingram Micro Breach, Sets Ransom Deadline: The ransomware gang claims to have stolen 3.5TB of data, and told the technology distributor to pay up or suffer a data breach.
  • 🏴‍☠️ Rhysida has just published a new victim : Cookeville Regional Medical Center: Cookeville Regional Medical Center At Cookeville Regional Medical Center, we are dedicated to providing the highest quality care to our patients and making a positive impact on our community.
  • 🏴‍☠️ Medusa has just published a new victim : Franklin Pierce Schools: Franklin Pierce Schools is a school district located in Tacoma, Washington. It is made up of 15 schools, which include nine elementary schools, two middle schools & four high schools. The total amount of data leakage is 821.30 GB
  • 🏴‍☠️ Medusa has just published a new victim : White Coffee Corporation: White Coffee Corporation is a family-owned business with over 85 years of experience, specializing in coffee roasting and co-packing services for beverage brands, hospitality providers, and entrepreneurs. The total amount of data leakage is 88.40 GB
  • 🏴‍☠️ Qilin has just published a new victim : fortsmithschools.org: The Fort Smith Public School district is a destination district built on relationships, collaboration, and a culture of excellence. With over 2,000 employees, FSPS is one of the largest employers in Fort Smith, Arkansas.
  • 🏴‍☠️ Akira has just published a new victim : Meissner Fenstertechnik: Meissner Fenstertechnik creates solutions for building components. Innovative technologies for windows and doors. We are ready to upload 20 GB of corporate documents.
  • 🏴‍☠️ Incransom has just published a new victim : Radford City Schools: Radford City Public Schools is a public school district in Radford, Virginia, serving approximately 3,690 students in grades PK-12. 100Gb sensitive, medical and personal data will be published soon in our blog.
  • 🏴‍☠️ Akira has just published a new victim : Hölscher Holding: Hölscher Holding specializes in consulting, planning, and implementing storage and logistics systems, making it a leading provider in Europe. We are ready to upload 24 GB of corporate documents.
  • 🏴‍☠️ Akira has just published a new victim : Herrman Law Firm: Herrman Law LLC, led by attorney Lynnette Herrman, specializes in family law representation… We are ready to upload more than 168GB files of essential corporate documents such as: financial data… employees and customers information (credit cards, medical information, passports, SSNs, DLs and other documents).
  • 🏴‍☠️ Play has just published a new victim : Quartus Engineering: United States