Ransomware Update – 2025-08-29

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • PromptLock (AI-Powered Ransomware):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A newly discovered ransomware written in Golang that uses an AI model (OpenAI’s gpt-oss:20b) locally to generate malicious Lua scripts in real-time for data theft and encryption.
    • Targets: Cross-platform systems including Windows, macOS, and Linux.
    • Decryption Status: No known decryption method is available.
    • Source: “Someone Created the First AI-Powered Ransomware Using OpenAI’s gpt-oss:20b Model” / “Experimental PromptLock ransomware uses AI to encrypt, steal data”

  • Storm-0501 (Cloud-Based Extortion):

    • New Encrypted File Extension: Not applicable; focuses on data exfiltration and deletion.
    • Attack Methods: This financially motivated group has shifted from traditional on-premise ransomware to cloud-based attacks. They exploit Entra ID to exfiltrate and delete data from Azure environments, followed by extortion demands.
    • Targets: Organizations utilizing hybrid cloud environments, particularly with Azure.
    • Decryption Status: Not applicable as data is exfiltrated or deleted, not encrypted for recovery.
    • Source: “Storm-0501 hackers shift to ransomware attacks in the cloud” / “Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks”

  • Ongoing Ransomware Gang Activity:

    • New Encrypted File Extension: Not specified in recent reports.
    • Attack Methods: Data exfiltration and publication on leak sites for extortion. The Blacknevas group, for example, claims to have stolen 4TB of data from Toyota’s corporate network.
    • Targets: A wide array of global entities across various sectors, including manufacturing (The Fredericks Company), automotive (Toyota Asia), professional services (BDO Perú), government (Town of Chatham, MA), healthcare (Firelands Scientific, Shropdoc), and aerospace (TRAF Industrial Products Inc).
    • Decryption Status: Not specified in the announcements.
    • Source: Public victim announcements from numerous active groups, including Akira, Blacknevas, Cephalus, Incransom, Qilin, and Rhysida.

Observations and Further Recommendations

  • Emergence of AI in Ransomware: A significant trend is the integration of artificial intelligence in cyberattacks. The discovery of PromptLock marks the first known ransomware to use an AI model to dynamically generate malicious code. Other reports indicate threat actors are abusing commercial AI services like Anthropic’s Claude to develop ransomware and automate extortion campaigns.
  • Shift to Cloud-Centric Attacks: Threat actors are evolving beyond encrypting on-premise files. Groups like Storm-0501 now focus on compromising cloud infrastructure directly, exfiltrating data, and extorting victims, highlighting the growing risk to cloud environments.
  • Persistent and Widespread Threat: A high volume of activity from numerous ransomware-as-a-service groups (including Akira, Cl0p, and others) continues, with a steady stream of new victims being publicly named. This underscores that ransomware remains a pervasive and indiscriminate threat to organizations of all sizes and sectors.
  • Recommendations: Organizations must enhance their cloud security posture, focusing on identity and access management controls for services like Azure and Entra ID. Security strategies should evolve to include robust data exfiltration detection, as attacks are not limited to file encryption.

News Details

  • Someone Created the First AI-Powered Ransomware Using OpenAI’s gpt-oss:20b Model: Cybersecurity company ESET has disclosed that it discovered an artificial intelligence (AI)-powered ransomware variant codenamed PromptLock. Written in Golang, the newly identified strain uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts in real-time.

  • Experimental PromptLock ransomware uses AI to encrypt, steal data: Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems.

  • Malware devs abuse Anthropic’s Claude AI to build ransomware: Anthropic’s Claude Code large language model has been abused by threat actors who used it in data extortion campaigns and to develop ransomware packages.

  • Storm-0501 hackers shift to ransomware attacks in the cloud: Microsoft warns that a threat actor tracked as Storm-0501 has evolved its operations, shifting away from encrypting devices with ransomware to focusing on cloud-based encryption, data theft, and extortion.

  • Storm-0501 Exploits Entra ID to Exfiltrate and Delete Azure Data in Hybrid Cloud Attacks: The financially motivated threat actor known as Storm-0501 has been observed refining its tactics to conduct data exfiltration and extortion attacks targeting cloud environments. “Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files…”.

  • MATLAB dev says ransomware gang stole data of 10,000 people: MathWorks, a leading developer of mathematical simulation and computing software, revealed that a ransomware gang stole the data of over 10,000 people after breaching its network in April.

  • Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups: Many familiar faces made Flashpoint’s 2025 midyear ransomware report, as well as new gangs, which are increasingly using AI.

  • 🏴‍☠️ Akira has just published a new victim : The Fredericks: The Fredericks Company is a leading manufacturer and innovator specializing in tilt and vacuum measurement sensors. We are going to upload company data soon.

  • 🏴‍☠️ Blacknevas has just published a new victim : TOYOTA ASIA TOYOTA INDIA: Hello, I think your IT service hid from you information about the hacking of your corporate network and a data leak. I tell you the details: Your corporate network was checked for vulnerability and did not go through the check. 4TB data were pumped up including personal data of employees and the confeditional data of the corporation.

  • 🏴‍☠️ Qilin has just published a new victim : Town of Chatham, MASSACHUSETTS: Chatham, Massachusetts is located at the southeast tip of Cape Cod. Chatham MA is a municipal government that provides essential services to its residents, including emergency services, utilities, and community resources.

  • 🏴‍☠️ Incransom has just published a new victim : BDO Perú: We have access to the personal data of your department heads and their electronic signatures, as well as information and signatures of your clients, including accounting data and audit-related materials.