Ransomware Update – 2025-08-20

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data encryption and exfiltration targeting various industries.
    • Targets: Inotiv, Inc. (a US-based contract research organization), Uganda Electricity Transmission Company Limited (utility), and APDerm (dermatology clinic network).
    • Decryption Status: No known decryption method.
    • Source: https://www.bleepingcomputer.com/news/security/pharma-firm-inotiv-says-ransomware-attack-impacted-operations/

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration with threats to leak sensitive corporate data, including financial records, invoices, and personal information of employees and customers (Social Security Numbers, driver’s licenses).
    • Targets: Bobcat Central (equipment dealer), Electro-Tech (electrical products representative), and Rare Editions (girls’ clothing manufacturer).
    • Decryption Status: No known decryption method.
    • Source: Ransomware victim announcements.

  • Sinobi Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public disclosure of victims.
    • Targets: A diverse range of small to medium-sized businesses across various sectors, including engineering, industrial supply, hydraulics, education, electronics, and property management.
    • Decryption Status: No known decryption method.
    • Source: Ransomware victim announcements.

  • Play Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Exploiting CVE-2025-29824, a privilege escalation vulnerability in the Windows Common Log File System (CLFS), to deploy the sophisticated PipeMagic backdoor.
    • Targets: Organizations with unpatched Windows systems.
    • Decryption Status: No known decryption method.
    • Source: https://darkreading.com/cyberattacks-data-breaches/pipemagic-backdoor-resurfaces-play-ransomware-attack-chain

Observations and Further Recommendations

  • A wide variety of ransomware groups (including Sinobi, Akira, Qilin, Safepay, and others) are actively targeting a diverse range of industries, from healthcare and utilities to manufacturing and education. This indicates a broad, opportunistic strategy focused on data exfiltration and extortion.
  • The attack on pharmaceutical firm Inotiv highlights the significant operational disruption ransomware can cause in critical sectors.
  • A notable technical development is the Play ransomware group’s use of a recently patched Windows vulnerability (CVE-2025-29824) alongside the PipeMagic backdoor, emphasizing the need for immediate patching and advanced threat detection capabilities to counter sophisticated attack chains.
  • General recommendations include prioritizing timely security updates, implementing multi-factor authentication (MFA), maintaining and testing offline backups, and deploying robust endpoint detection and response (EDR) solutions.

News Details

  • 🕵️ Webinar: Discover and Control Shadow AI Agents in Your Enterprise Before Hackers Do: Do you know how many AI agents are running inside your business right now? If the answer is “not sure,” you’re not alone—and that’s exactly the concern. Across industries, AI agents are being set up every day. Sometimes by IT, but often by business units moving fast to get results.
  • From Impact to Action: Turning BIA Insights Into Resilient Recovery: Modern businesses face a rapidly evolving and expanding threat landscape, but what does this mean for your business? It means a growing number of risks, along with an increase in their frequency, variety, complexity, severity, and potential business impact.
  • North Korea Uses GitHub in Diplomat Cyber Attacks as IT Worker Scheme Hits 320+ Firms: North Korean threat actors have been attributed to a coordinated cyber espionage campaign targeting diplomatic missions in their southern counterpart between March and July 2025. The activity manifested in the form of at least 19 spear-phishing emails that impersonated trusted diplomatic contacts.
  • DOJ Charges 22-Year-Old for Running RapperBot Botnet Behind 370,000 DDoS Attacks: A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot.
  • Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems: Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper. But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access.
  • New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code: Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT. The malicious activity involves the “distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger.”
  • Public Exploit for Chained SAP Flaws Exposes Unpatched Systems to Remote Code Execution: A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft. The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution.
  • U.K. Government Drops Apple Encryption Backdoor Order After U.S. Civil Liberties Pushback: The U.K. government has apparently abandoned its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens.
  • Why Your Security Culture is Critical to Mitigating Cyber Risk: After two decades of developing increasingly mature security architectures, organizations are running up against a hard truth: tools and technologies alone are not enough to mitigate cyber risk. As tech stacks have grown more sophisticated and capable, attackers have shifted their focus.
  • PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks: The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks.
  • Noodlophile Malware Campaign Expands Global Reach with Copyright Phishing Lures: The threat actors behind the Noodlophile malware are leveraging spear-phishing emails and updated delivery mechanisms to deploy the information stealer in attacks aimed at enterprises located in the U.S., Europe, Baltic countries, and the Asia-Pacific (APAC) region.
  • Microsoft reportedly fixing SSD failures caused by Windows updates: Recently released Windows 11 24H2 updates are reportedly causing data corruption and failure issues for some SSD and HDD models on up-to-date systems.
  • Microsoft fixes Windows upgrades failing with 0x8007007F error: Microsoft has resolved a known issue that caused Windows upgrades to fail with 0x8007007F errors on some Windows 11 and Windows Server systems.
  • Microsoft releases emergency updates to fix Windows recovery: Microsoft has released emergency Windows out-of-band updates to resolve a known issue breaking reset and recovery operations after installing the August 2025 Windows security updates.
  • PyPI now blocks domain resurrection attacks used for hijacking accounts: The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets.
  • Okta open-sources catalog of Auth0 rules for threat detection: Okta has open-sourced ready-made Sigma-based queries for Auth0 customers to detect account takeovers, misconfigurations, and suspicious behavior in event logs.
  • Microsoft shares workaround for Teams “couldn’t connect” error: Microsoft is resolving a known issue that causes “couldn’t connect” errors when launching the Microsoft Teams desktop and web applications.
  • Elastic rejects claims of a zero-day RCE flaw in Defend EDR: Enterprise search and security company Elastic is rejecting reports of a zero-day vulnerability impacting its Defend endpoint detection and response (EDR) product.
  • OpenAI releases $4 ChatGPT plan, but it’s not available in the US for now: OpenAI has finally announced the GPT Go subscription, which costs just $4 in the US or INR 399 in India.
  • Pharma firm Inotiv says ransomware attack impacted operations: American pharmaceutical company Inotiv has disclosed that some of its systems and data have been encrypted in a ransomware attack, impacting the company’s business operations.
  • Microsoft: August security updates break Windows recovery, reset: Microsoft has confirmed that the August 2025 Windows security updates are breaking reset and recovery operations on systems running Windows 10 and older versions of Windows 11.
  • NY Business Council discloses data breach affecting 47,000 people: The Business Council of New York State (BCNYS) has revealed that attackers who breached its network in February stole the personal, financial, and health information of over 47,000 individuals.
  • Massive Allianz Life data breach impacts 1.1 million people: Hackers have stolen the personal information of 1.1 million individuals in a Salesforce data theft attack, which impacted U.S. insurance giant Allianz Life in July.
  • Made by Google: How to watch the Pixel 10 launch: Google is set to reveal its new flagship Pixel hardware at a Made by Google event today at 1PM ET / 10AM PT, when we’ll find out exactly what the company has in store with its expected Pixel 10 phones, Pixel Watch 4, and Pixel Buds 2A.
  • Prices leak for the rest of Google’s new Pixel products: At this rate, nothing announced at Google’s Pixel event will be a suprise. More prices have leaked for Google’s new lineup of Pixel phones and watches, this time joined by prices for the new accessories and Pixel Buds 2A.
  • Ikea’s most Ikea product ever: Ikea is teaming up with a Swedish designer for its latest collection, and the first product being teased is a dedicated plate for Ikea’s greatest product: meatballs. The 12-piece Gustaf Westman collection that’s launching on September 9th includes a chunky blue serving dish that is shaped to fit exactly 11 of the delicious morsels “in a celebratory row.”
  • Hyperkin’s DualSense-inspired Xbox controller is finally launching this fall: There’s good news if you’re an Xbox gamer who’s longingly stared at the sleeker design of Sony’s DualSense controller for the PlayStation 5. After revealing the final form of its Competitor gamepad at CES 2025, Hyperkin has announced it will be available sometime in October for $49.99.
  • The White House just joined TikTok: While it was President Joe Biden who signed the law that would force ByteDance to sell its stake in TikTok or face a ban, it’s his successor, Donald Trump, who has yet to fulfill his promise of arranging a deal to keep TikTok running, legally, in the United States.
  • Here are the best Apple Watch deals available right now: The Apple Watch Ultra 2 is currently on sale in select configurations starting at $649, which remains one of its best prices to date.
  • Google Gemini can now read your Docs aloud: Google Docs will now let you generate an audio version of your documents using AI. In a post announcing the rollout, Google says you can customize Gemini’s AI audio output with different voices and playback speeds.
  • Google announced the next step in its nuclear energy plans: Google is one step closer to reaching its nuclear ambitions now that it’s working with public power utility Tennessee Valley Authority (TVA) to purchase electricity from a next-generation reactor.
  • All the news from Gamescom Opening Night Live 2025: While it didn’t feature much of Silksong outside of a brief tease — though there’s plenty more coming very soon — the main event for Gamescom, Opening Night Live, did have plenty to show off during its two hour runtime.
  • Microsoft employees occupy headquarters in protest of Israel contracts: On Tuesday, a group of current and former Microsoft employees, as well as community members, took over a plaza at Microsoft’s headquarters in Redmond, Washington, as part of a No Azure for Apartheid protest.
  • Asian Orgs Shift Cybersecurity Requirements to Suppliers: The uptick in breaches in Asia has prompted a Japanese chipmaker and the Singaporean government to require vendors to pass cybersecurity checks to do business.
  • Russian Hacktivists Take Aim at Polish Power Plant, Again: This attack was seemingly more successful than the first iteration, causing disruptions at the plant.
  • ‘RingReaper’ Sneaks Right Past Linux EDRs: The highly sophisticated post-compromise tool abuses the Linux kernel’s io_uring interface to remain hidden from endpoint detection and response systems.
  • AI Agents Access Everything, Fall to Zero-Click Exploit: Zenity CTO Michael Bargury joins the Black Hat USA 2025 News Desk to discuss research on a dangerous exploit, how generative AI technology has \”grown arms and legs\” —and what that means for cyber risk.
  • Millions Allegedly Affected in Allianz Insurance Breach: Have I Been Pwned claims that the compromised data includes physical addresses, dates of birth, phone numbers, and more, for life insurance customers.
  • PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain: Attackers are wielding the sophisticated modular malware while exploiting CVE-2025-29824, a previously zero-day flaw in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems.
  • ‘DripDropper’ Hackers Patch Their Own Exploit: An attacker is breaking into Linux systems via a widely abused 2-year-old vulnerability in Apache ActiveMQ, installing malware and then patching the flaw.
  • Noodlophile Stealer Hides Behind Bogus Copyright Complaints: Noodlophile is targeting enterprises in spear-phishing attacks using copyright claims as phishing lures.
  • Oregon Man Charged in ‘Rapper Bot’ DDoS Service: A 22-year-old Oregon man has been arrested on suspicion of operating “Rapper Bot,” a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets — including a March 2025 DDoS that knocked Twitter/X offline.