Ransomware Update – 2025-09-03

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Pennsylvania Attorney General’s Office:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Ransomware attack causing system encryption and a prolonged service outage.
    • Targets: Government entity (Office of the Pennsylvania Attorney General).
    • Decryption Status: Not specified; services were disrupted for two weeks.
    • Source: Pennsylvania AG Office says ransomware attack behind recent outage

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and public extortion on their leak site.
    • Targets: NPi Audio Visual Solutions (USA events company) and Identic (Belgian digital printing firm).
    • Decryption Status: No known decryption method mentioned.
    • Source: 🏴‍☠️ Qilin has just published a new victim : NPIAV

  • Medusa Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion, with a claim of stealing 2.25 TB of data from one victim.
    • Targets: Level (US-based fintech company) and TEAM GROUP (Thai consulting firm).
    • Decryption Status: No known decryption method mentioned.
    • Source: 🏴‍☠️ Medusa has just published a new victim : Level

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data theft and extortion, threatening to leak financial data, employee information, and other confidential documents.
    • Targets: Natare (Pool designer) and Pooler Enterprises (Land development services).
    • Decryption Status: No known decryption method mentioned.
    • Source: 🏴‍☠️ Akira has just published a new victim : Natare

  • Lunalock Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data breach and extortion, with a novel threat to release stolen user data and submit artwork to AI training datasets.
    • Targets: The website Artists&Clients and its user base.
    • Decryption Status: No known decryption method mentioned.
    • Source: 🏴‍☠️ Lunalock has just published a new victim : Artists&Clients

Observations and Further Recommendations

  • A significant volume of cyberattacks is being reported by numerous ransomware groups, including Qilin, Medusa, Akira, Incransom, and Safepay. The attacks are geographically diverse and target a wide range of industries such as government, manufacturing, technology, finance, and healthcare.
  • The predominant tactic is data exfiltration followed by threats to leak stolen information unless a ransom is paid. This “double extortion” method continues to be the standard operating procedure for these groups.
  • The Salesloft Drift supply chain attack highlights a critical vulnerability in the SaaS ecosystem, where compromising a single vendor led to breaches at major companies like Cloudflare and Palo Alto Networks through stolen OAuth tokens.
  • Organizations should prioritize robust security measures, including regular data backups, implementing multi-factor authentication (MFA), timely patching of vulnerabilities (as highlighted by CISA’s KEV catalog updates), and developing a comprehensive incident response plan. Vetting third-party software and managing API/authentication token security is crucial to mitigate supply chain risks.

News Details

  • Iranian Hackers Exploit 100+ Embassy Email Accounts in Global Phishing Targeting Diplomats: An Iran-nexus group has been linked to a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world.
  • AI-Driven Trends in Endpoint Security: What the 2025 Gartner® Magic Quadrant™ Reveals: Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured.
  • Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack: Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps).
  • CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
  • Salesloft Takes Drift Offline After OAuth Token Theft Hits Hundreds of Organizations: Salesloft on Tuesday announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been ensnared in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens.
  • Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE: The North Korea-linked threat actor known as the Lazarus Group has been attributed to a social engineering campaign that distributes three different pieces of cross-platform malware called PondRAT, ThemeForestRAT, and RemotePE.
  • Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control: Cybersecurity researchers have disclosed a stealthy new backdoor called MystRodX that comes with a variety of features to capture sensitive data from compromised systems.
  • Shadow AI Discovery: A Critical Part of Enterprise AI Governance: MITs State of AI in Business report revealed that while 40% of organizations have purchased enterprise LLM subscriptions, over 90% of employees are actively using AI tools in their daily work.
  • Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices: Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025.
  • Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware: The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions.
  • Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets: Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems.
  • Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans: Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware.
  • Hackers breach fintech firm in attempted $130M bank heist: Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix).
  • Cloudflare hit by data breach in Salesloft Drift supply chain attack: Cloudflare is the latest company impacted in a recent string of Salesloft Drift breaches, part of a supply-chain attack disclosed last week.
  • Cloudflare blocks largest recorded DDoS attack peaking at 11.5 Tbps: Internet infrastructure company Cloudflare said it recently blocked the largest recorded volumetric distributed denial-of-service (DDoS) attack, which peaked at 11.5 terabits per second (Tbps).
  • No, Google did not warn 2.5 billion Gmail users to reset passwords: Google has disputed a widely reported story about the company warning all Gmail users to reset their passwords due to a recent data breach that also affected some Workspace accounts.
  • Jaguar Land Rover says cyberattack ‘severely disrupted’ production: Jaguar Land Rover (JLR) announced that a cyberattack forced the company to shut down certain systems as part of the mitigation effort.
  • Pennsylvania AG Office says ransomware attack behind recent outage: The Office of the Pennsylvania Attorney General announced that a ransomware attack is behind the ongoing two-week service outage.
  • Palo Alto Networks data breach exposes customer info, support cases: Palo Alto Networks suffered a data breach that exposed customer data and support cases after attackers abused compromised OAuth tokens from the Salesloft Drift breach to access its Salesforce instance.
  • 🏴‍☠️ Qilin has just published a new victim : NPIAV: NPi Audio Visual Solutions, USA – the company organizes and hosts business events and parties. What happens behind closed doors at private conventions? Now we can peek behind the curtain and find out what the rich and famous really discuss.
  • 🏴‍☠️ Worldleaks has just published a new victim : Risen Energy Co.: Risen Energy Co., Ltd is a leading, global, tier-1, ‘AAA’ credit rated manufacturer of high-performance solar photovoltaic products and provider of total business solutions for power generation.
  • 🏴‍☠️ Medusa has just published a new victim : Level: Level is a B2B2C fintech company comprised of a diverse team from industry-leading companies like Square, Oscar, Google, Uber, and Airbnb.
  • 🏴‍☠️ Medusa has just published a new victim : TEAM GROUP: TEAM GROUP is one of the leading integrated consulting firms in Thailand and region with more than 40 years of experience in comprehensive consulting services. The total amount of data leakage is 2.25 TB.
  • 🏴‍☠️ Incransom has just published a new victim : Bartek Ingredients: Since 1969, Bartek Ingredients has grown from its entrepreneurial roots with a dynamic spirit and disciplined focus in the manufacturing and global sales of malic and fumaric acid.
  • 🏴‍☠️ Lunalock has just published a new victim : Artists&Clients: We have breached the website Artists&Clients to steal and encrypt all its data. If you are a user of this website, you are urged to contact the owners and insist that they pay our ransom. If the ransom is not paid, we will release all data publicly.
  • 🏴‍☠️ Akira has just published a new victim : Natare: Natare Pools specializes in designing, building, and installing custom stainless steel pools, spas, and related equipment. We are ready to upload more than 10Gb files of essential corporate documents.