Ransomware Update – 2025-08-15

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Crypto24:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Employs custom utilities to evade Endpoint Detection and Response (EDR) and other security solutions, followed by data exfiltration and file encryption.
    • Targets: Large organizations.
    • Decryption Status: No known decryption method mentioned.
    • Source: Crypto24 ransomware hits large orgs with custom EDR evasion tool

  • North Korean State-Sponsored Actors:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Utilizes a multi-pronged approach, simultaneously deploying information stealers, backdoors, and ransomware to maximize impact.
    • Targets: Organizations and individuals in South Korea.
    • Decryption Status: No known decryption method mentioned.
    • Source: North Korea Attacks South Koreans With Ransomware

  • Ransomware Financial Infrastructure Sanctioned:

    • Prominent Details: The U.S. Treasury has sanctioned the Russian cryptocurrency exchange Grinex, identified as the successor to Garantex. Both platforms are accused of facilitating over $100 million in illicit transactions for ransomware gangs and other cybercriminals.
    • Source: U.S. Sanctions Garantex and Grinex Over $100M in Ransomware-Linked Illicit Crypto Transactions

  • Active Ransomware Groups (Victim Announcements):

    • Details: Multiple ransomware groups, including Qilin, Play, Akira, Sarcoma, Datacarry, and Sinobi, have announced new victims on their data leak sites.
    • Attack Methods: These incidents primarily involve data exfiltration, with gangs threatening to publish sensitive corporate and personal information. Akira, for instance, claimed to have exfiltrated over 134GB of data from a law firm, including legal documents and personal information.
    • Targets: A diverse range of sectors were targeted globally, including architecture firms, law firms, manufacturing, venture capital, and IT services across the US and Europe.
    • Decryption Status: No decryption tools are available; the primary threat is data leakage.
    • Source: Various ransomware leak site publications.

Observations and Further Recommendations

  • Ransomware attacks remain a high-volume threat, with numerous groups like Qilin, Play, and Akira actively compromising and extorting organizations across various industries.
  • A clear trend is the use of custom tooling to bypass modern security defenses, as seen with the Crypto24 group’s evasion of EDR solutions.
  • Data exfiltration is now a standard component of ransomware attacks, often serving as the primary extortion lever even if encryption fails.
  • Government agencies are continuing efforts to disrupt the financial ecosystem supporting ransomware by sanctioning cryptocurrency exchanges like Garantex and Grinex, which are used for money laundering.
  • Organizations should prioritize robust defense-in-depth strategies, including advanced EDR, regular security audits, and employee training to mitigate the risk of initial access and lateral movement by attackers.

News Details

  • U.S. Sanctions Garantex and Grinex Over $100M in Ransomware-Linked Illicit Crypto Transactions: The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019. The Treasury said it’s also imposing sanctions on Garantex’s successor, Grinex
  • Crypto24 ransomware hits large orgs with custom EDR evasion tool: The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files.
  • North Korea Attacks South Koreans With Ransomware: DPRK hackers are throwing every kind of malware at the wall and seeing what sticks, deploying stealers, backdoors, and ransomware all at once.
  • US sanctions Grinex crypto-exchange, successor to Garantex: The U.S. Department of the Treasury has announced sanctions against Grinex, the successor to Russian cryptocurrency exchange Garantex, which was previously sanctioned for helping ransomware gangs launder their money.
  • 🏴‍☠️ Qilin has just published a new victim : marma.com.pl: MARMA Polskie Folie is one of the largest plastics processors in Europe. The company produces products for agriculture, horticulture, construction and packaging industries. Internally, the company employs more than 1,000 people.
  • 🏴‍☠️ Sarcoma has just published a new victim : Maselli Misure S.p.A. Information: For over 70 years, Maselli has been a trusted family-owned business, dedicated to designing and manufacturing innovative optical technology for in-line and laboratory quality control analysis.
  • 🏴‍☠️ Play has just published a new victim : eShipGlobal: United States
  • 🏴‍☠️ Akira has just published a new victim : Ranshu, Meridian Auto Parts, Visionaire,Omega enviromenta technologies, Ap Air: We are going to upload about 47 gb of a bunch of companies. All of them are auto parts related. You will find detailed employees information (DOB, DL numbers and so on), HR files, financial and accounting information, lost of agreements and contracts, drawings, specifications…
  • 🏴‍☠️ Akira has just published a new victim : Rusin Law: Rusin Law is a premier civil litigation defense firm specializing in workers’ compensation cases. We are ready to upload more than 134GB files of essential corporate documents such as: financial data…employees and customers information…and other documents containing confidential information.
  • Cisco Warns of CVSS 10.0 FMC RADIUS Flaw Allowing Remote Code Execution: Cisco has released security updates to address a maximum-severity security flaw in Secure Firewall Management Center (FMC) Software that could allow an attacker to execute arbitrary code on affected systems.
  • New HTTP/2 ‘MadeYouReset’ Vulnerability Enables Large-Scale DoS Attacks: Multiple HTTP/2 implementations have been found susceptible to a new attack technique called MadeYouReset that could be explored to conduct powerful denial-of-service (DoS) attacks.
  • Hackers Found Using CrossC2 to Expand Cobalt Strike Beacon’s Reach to Linux and macOS: Japan’s CERT coordination center (JPCERT/CC) on Thursday revealed it observed incidents that involved the use of a command-and-control (C2) framework called CrossC2, which is designed to extend the functionality of Cobalt Strike to other platforms like Linux and Apple macOS for cross-platform system control.
  • CISA Adds Two N-able N-central Flaws to Known Exploited Vulnerabilities Catalog: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added two security flaws impacting N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.