Latest Ransomware News and New File Extensions
-
Warlock Ransomware:
- New Encrypted File Extension: Not specified
- Attack Methods: Targets and exploits vulnerabilities in on-premises SharePoint instances to gain access.
- Targets: Organizations using vulnerable SharePoint servers.
- Decryption Status: No known decryption method mentioned.
- Source: https://darkreading.com/cyberattacks-data-breaches/how-warlock-ransomware-targets-vulnerable-sharepoint-servers
-
Play Ransomware:
- New Encrypted File Extension: Not specified
- Attack Methods: Utilizes the PipeMagic backdoor and exploits a zero-day vulnerability in Windows Common Log File System (CVE-2025-29824) for privilege escalation.
- Targets: Diverse organizations, including CBG Surveying Texas and Omega Global Technologies.
- Decryption Status: No known decryption method mentioned.
- Source: https://darkreading.com/vulnerabilities-threats/pipemagic-backdoor-resurfaces-as-part-of-play-ransomware-attack-chain
-
Qilin Ransomware:
- New Encrypted File Extension: Not specified
- Attack Methods: Data exfiltration followed by extortion threats.
- Targets: A wide range of industries including automotive (Nissan CBI), healthcare (Fullerton Surgical Center), financial services (welldone.com.tw), and engineering (DAOR E&C Co., Ltd).
- Decryption Status: No known decryption method mentioned.
- Source: Aggregated Ransomware Leak Sites
-
Akira Ransomware:
- New Encrypted File Extension: Not specified
- Attack Methods: Data exfiltration and extortion, threatening to publish sensitive corporate, financial, and personal data.
- Targets: Various US-based companies in sectors like manufacturing (NC Dynamics LLC, Advanced Blending Solutions), construction (Steel Encounters, RAVEN Mechanical), and healthcare services (RA Services).
- Decryption Status: No known decryption method mentioned.
- Source: Aggregated Ransomware Leak Sites
Observations and Further Recommendations
- A significant number of ransomware groups remain highly active, including Qilin, Akira, Play, Incransom, Spacebears, Medusa, and Rhysida, targeting a diverse range of global industries.
- Threat actors continue to leverage both zero-day flaws (Play ransomware using a Windows CLFS bug) and older, unpatched vulnerabilities (Warlock ransomware targeting SharePoint) to compromise networks.
- The primary tactic remains data exfiltration for double extortion, where stolen data is published if the ransom is not paid.
- Organizations are strongly advised to prioritize patch management for all systems, particularly public-facing infrastructure like SharePoint servers, and to implement robust endpoint detection and response (EDR) solutions to identify backdoors like PipeMagic.
News Details
- How Warlock Ransomware Targets Vulnerable SharePoint Servers: Researchers highlight how Warlock, a new ransomware heavyweight, uses its sophisticated capabilities to target on-premises SharePoint instances.
- PipeMagic Backdoor Resurfaces as Part of Play Ransomware Attack Chain: Attackers are wielding the sophisticated modular malware while exploiting CVE-2025-29824, a previously zero-day flaw in Windows Common Log File System (CLFS) that allows attackers to gain system-level privileges on compromised systems.
- 🏴☠️ Qilin has just published a new victim : Nissan CBI: The “Nissan Creative Box” refers to a design studio in Tokyo, previously known as a satellite design base for Nissan, and is now part of the larger Nissan design network.
- 🏴☠️ Akira has just published a new victim : NC Dynamics LLC: NC Dynamics LLC is a full-service manufacturing facility specializing in high-speed machining, including 3, 4, and 5 axis milling, CNC turning, and assembly. We are going to upload about 30gb of corporate files.
- 🏴☠️ Play has just published a new victim : CBG Surveying Texas: United States