Ransomware Update – 2025-09-12

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Actively exploiting a critical access control vulnerability (CVE-2024-40766) in SonicWall SSL VPN devices to gain unauthorized initial access.
    • Targets: Organizations using vulnerable SonicWall appliances. Recent claimed victims span multiple industries, including manufacturing (Standard Iron & Wireworks), biotechnology (Fluxergy), legal services (Molod Spitz & DeSantis), and IT consulting (TDK Technologies).
    • Decryption Status: No known free decryptor.
    • Source: “Akira ransomware exploiting critical SonicWall SSLVPN bug again” and “SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers”

  • Gentlemen Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Utilizes a “Bring Your Own Vulnerable Driver” (BYOVD) technique by weaponizing the legitimate ThrottleStop.sys driver to terminate and disable antivirus and endpoint detection and response (EDR) systems.
    • Targets: General targets, with a focus on bypassing endpoint security controls before encryption.
    • Decryption Status: No known free decryptor.
    • Source: “‘Gentlemen’ Ransomware Abuses Vulnerable Driver to Kill Security Gear”

  • INC Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Attack vectors are not detailed, but the group is known for large-scale data exfiltration, claiming to have stolen 20 TB of data in one instance.
    • Targets: High-profile government and corporate entities, including Panama’s Ministry of Economy and Finance (MEF) and a US-based healthcare investment firm (Deerfield Management).
    • Decryption Status: No known free decryptor.
    • Source: “Panama Ministry of Economy discloses breach claimed by INC ransomware” and associated leak site announcements.

Observations and Further Recommendations

  • Ransomware groups continue to actively exploit unpatched vulnerabilities in internet-facing infrastructure, such as the SonicWall VPN flaw leveraged by Akira. This underscores the critical importance of timely patching.
  • Evasion tactics are becoming more sophisticated. The ‘Gentlemen’ ransomware’s use of a vulnerable driver to disable security software highlights a trend of attackers bypassing modern defenses rather than confronting them directly.
  • The high volume of victims posted on leak sites by numerous groups (including Qilin, Daixin, Blacknevas, Radar, and others) indicates that ransomware remains a widespread and persistent threat across all industries.
  • There is growing political pressure for vendor accountability. A U.S. Senator’s call to investigate Microsoft for “gross cybersecurity negligence” could signify a future shift towards holding major technology providers responsible for security failures that enable widespread attacks.

News Details

  • Cloud-Native Security in 2025: Why Runtime Visibility Must Take Center Stage: The security landscape for cloud-native applications is undergoing a profound transformation. Containers, Kubernetes, and serverless technologies are now the default for modern enterprises, accelerating delivery but also expanding the attack surface in ways traditional security models can’t keep up with.
  • Cursor AI Code Editor Flaw Enables Silent Code Execution via Malicious Repositories: A security weakness has been disclosed in the artificial intelligence (AI)-powered code editor Cursor that could trigger code execution when a maliciously crafted repository is opened using the program.
  • Google Pixel 10 Adds C2PA Support to Verify AI-Generated Media Authenticity: Google on Tuesday announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content.
  • Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence: U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called “gross cybersecurity negligence” that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks.
  • Cracking the Boardroom Code: Helping CISOs Speak the Language of Business: CISOs know their field. They understand the threat landscape. They understand how to build a strong and cost-effective security stack. They understand how to staff out their organization. They understand the intricacies of compliance. They understand what it takes to reduce risk.
  • SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers: Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access. Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month.
  • Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts: Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data.
  • AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto: Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.
  • Man gets over 4 years in prison for selling unreleased movies: A Tennessee court has sentenced a Memphis man who worked for a DVD and Blu-ray manufacturing and distribution company to 57 months in prison for stealing and selling digital copies of unreleased movies.
  • Samsung patches actively exploited zero-day reported by WhatsApp: Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices.
  • Microsoft fixes Exchange Online outage affecting users worldwide: Microsoft says that it has mitigated an Exchange Online outage affecting customers worldwide, which blocked their access to emails and calendars.
  • U.S. Senator accuses Microsoft of “gross cybersecurity negligence”: U.S. Senator Ron Wyden has sent a letter to the Federal Trade Commission (FTC) requesting the agency to investigate Microsoft for failing to provide adequate security in its products, which led to ransomware attacks against healthcare organizations.
  • Apple warns customers targeted in recent spyware attacks: Apple warned customers last week that their devices were targeted in a new series of spyware attacks, according to the French national Computer Emergency Response Team (CERT-FR).
  • Panama Ministry of Economy discloses breach claimed by INC ransomware: Panama’s Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack..
  • Microsoft adds malicious link warnings to Teams private chats: Microsoft Teams will automatically alert users when they send or receive a private message containing links that are tagged as malicious.
  • Akira ransomware exploiting critical SonicWall SSLVPN bug again: The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices.
  • New VMScape attack breaks guest-host isolation on AMD, Intel CPUs: A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs.
  • The Buyer’s Guide to Browser Extension Management: Browser extensions boost productivity—but also open the door to hidden risks like data exfiltration and AitM attacks. Keep Aware’s Buyer’s Guide shows how to gain visibility, enforce policies, and block risky add-ons in real time.
  • DDoS defender targeted in 1.5 Bpps denial-of-service attack: A DDoS mitigation service provider in Europe was targeted in a massive distributed denial-of-service attack that reached 1.5 billion packets per second.
  • Microsoft waives fees for Windows devs publishing to Microsoft Store: Microsoft announced that, starting today, individual Windows developers will no longer have to pay for publishing their applications on the Microsoft Store.
  • Sony’s new Xperia phone jumps on the camera bar bandwagon: The Xperia 10 VII’s camera bar looks Pixel-perfect. Sony has announced the Xperia 10 VII, a midrange Android phone that’s launching in the UK, Europe, and Asia, though not the US.
  • Prongs rock: Here’s a hot take: gaming handhelds are better with prongs. How do I know? I hold a lot of handhelds (and gamepads) here at The Verge, but Microsoft and Asus’s upcoming Xbox Ally X might take the cake for the most comfortable to hold.
  • Microsoft avoids EU fine after Slack complained about Teams bundling: Microsoft has avoided a fine from the European Commission after it was charged with EU antitrust violations for bundling its Teams app with Office 365 and Microsoft 365 subscriptions.
  • Asus gives its $4,000 creator laptop a 4K tandem OLED and RTX 5090: Asus’ ProArt P16 laptop is getting RTX 50-series GPUs and a unique new screen in its high-end configuration. Its biggest upgrades include Nvidia’s top-tier RTX 5090 mobile GPU and a bright 16-inch 3840 x 2400 tandem OLED touchscreen.
  • Apple Watch hypertension alerts cleared by FDA for new and old watches: Starting next week, Apple’s new hypertension notification feature will be coming to Watch Series 9 and later and Apple Watch Ultra 2 and later with the launch of watchOS 26.
  • Microsoft and OpenAI have a new deal that could clear the way for an IPO: As OpenAI attempts to restructure itself and eventually go public, a hurdle for the startup, recently valued at $500 billion, is its increasingly complicated partnership with Microsoft. On Thursday afternoon, the two companies released this joint statement about an agreement they’ve reached.
  • Microsoft is making ‘significant investments’ in training its own AI models: Microsoft AI launched its first in-house models last month, adding to the already complicated relationship with its OpenAI partner. Now, Microsoft AI chief Mustafa Suleyman says the company is making “significant investments” in the compute capacity required to Microsoft’s own future frontier models.
  • Republicans pledge censorship crackdown to avenge Charlie Kirk’s death: In the wake of right-wing activist Charlie Kirk’s fatal shooting, some political figures are threatening a crackdown on free speech – a cause Kirk claimed to fight for.
  • Anthropic’s Claude AI can now automatically ‘remember’ past chats: Anthropic will now let its Claude AI chatbot “remember” the details of previous conversations without prompting. The feature is only rolling out for Team and Enterprise users for now.
  • Internet detectives are misusing AI to find Charlie Kirk’s alleged shooter: Earlier today, the FBI shared two blurry photos on X of a person of interest in the shooting of right-wing activist Charlie Kirk. Numerous users replied with AI-upscaled, “enhanced” versions of the pictures almost immediately.
  • Vyro AI Leak Reveals Poor Cyber Hygiene: The data leak underscores the larger issue of proprietary or sensitive data being shared with GenAI by users who should know better.
  • ‘Gentlemen’ Ransomware Abuses Vulnerable Driver to Kill Security Gear: By weaponizing the ThrottleStop.sys driver, attackers are disrupting antivirus and endpoint detection and response (EDR) systems.
  • Apple CarPlay RCE Exploit Left Unaddressed in Most Cars: Even when a vulnerability is serious and a fix is available, actually securing cars is more difficult than one would hope.
  • AI-Enhanced Malware Sports Super-Stealthy Tactics: With legit sounding names, EvilAI’s “productivity” apps are reviving classic threats like Trojans while adding new evasion capabilities against modern antivirus defenses.
  • Vidar Infostealer Back With a Vengeance: The pervasive Vidar infostealer has evolved with a suite of new evasion techniques and covert data exfiltration methods, according to researchers.
  • ‘K2 Think’ AI Model Jailbroken Mere Hours After Release: Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse.
  • Cyberattack on Kazakhstan’s Largest Oil Company Was ‘Simulation’: Researchers thought a Russian APT used a compromised employee email to attack Kazakhstan’s biggest oil company. The company later confirmed it was a pen test.
  • Students Pose Inside Threat to Education Sector: The threats may not be malicious, but they are more than many security teams can handle.
  • 🏴‍☠️ Beast has just published a new victim : Meskan Foundry: Meskan Foundry is a 5th generation, family owned, non-ferrous casting facility in Chicago since 1907.
  • 🏴‍☠️ Worldleaks has just published a new victim : Survival Flight Inc: [AI generated] Survival Flight Inc. is a premier emergency medical transportation company in the United States.
  • 🏴‍☠️ Qilin has just published a new victim : TAKwest: Broadband data leak. Those who provide access to new digital opportunities have failed to ensure their own cybersecurity.
  • 🏴‍☠️ Blacknevas has just published a new victim : CARTONAJES BERNABEU SAU www.cartonajesbernabeu.com serviced by IT company Verne Group www….: CARTONAJES BERNABEU SAU, a company specialising in the production and sale of cardboard containers and packaging, was founded in 1965.
  • 🏴‍☠️ Worldleaks has just published a new victim : Northwest Medical Specialties: [AI generated] Northwest Medical Specialties (NWMS) is a healthcare organization based in Tacoma, Washington.
  • 🏴‍☠️ Radar has just published a new victim : Compagnie des Guides de Chamonix: Chamonix Office +33 (0)4 50 53 00 88, Maison de la montagne, 190 place de l’église, 74400 Chamonix
  • 🏴‍☠️ Radar has just published a new victim : Namibia | Epia Financial Services | Windhoek: +264816013040. Mail. [email protected]. Home. No 17 Eulenweg Street, Hochland Park, Windhoek ,Namibia.
  • 🏴‍☠️ Radar has just published a new victim : Menten Truck Service N.V., Hoeselt, Belgium: Menten Truck Service. Industrielaan 1084 3730 Hoeselt Tel +32 89 41 12 22.
  • 🏴‍☠️ Akira has just published a new victim : STANDARD IRON & WIREWORKS (Helgesen Industries): STANDARD IRON & WIRE WORKS manufactures products in two distinct divisions. Contract Manufacturing fabricates, assembles and paints heavy-duty products for blue-chip original equipment manufacturers (OEMs).
  • 🏴‍☠️ Akira has just published a new victim : Fluxergy: Fluxergy is developing a platform with multi-modal detection technologies which bring the variety of tests found in the central laboratory.
  • 🏴‍☠️ Akira has just published a new victim : Molod Spitz & DeSantis: Molod Spitz & DeSantis, P.C. specializes in defending clients in complex liability matters in New York and New Jersey courts.
  • 🏴‍☠️ Akira has just published a new victim : TDK Technologies: TDK Technologies provides information technology consulting and custom software development for businesses through either staff augmentation or outsourced project solution delivery.
  • 🏴‍☠️ Killsec has just published a new victim : BlockBets Casino: N/A
  • 🏴‍☠️ Daixin has just published a new victim : SGS Co: Brand design and packaging solutions agency.
  • 🏴‍☠️ Daixin has just published a new victim : Communicare Inc.: Communicare, Inc. has been a premier provider of behavioral health services in Kentucky’s heartland since 1967.
  • 🏴‍☠️ Daixin has just published a new victim : Insurance Office of America: Insurance Office of America (IOA) is a premier, full-service insurance agency dedicated to delivering bespoke insurance solutions since 1988.
  • 🏴‍☠️ Daixin has just published a new victim : Gagosian: Established by Larry Gagosian in Los Angeles in 1980, Gagosian is a global gallery specializing in modern and contemporary art.
  • 🏴‍☠️ Abyss has just published a new victim : moinian.com: Founded in 1982, The Moinian Group is a privately held real estate investment company focusing in New York City commercial, residential, and hospitality properties.
  • 🏴‍☠️ Incransom has just published a new victim : deerfield.com / singulargenomics.com: Deerfield Management (“Deerfield”) is an American investment firm headquartered in New York City. It is focused on making public and private investments in the healthcare and biotechnology industries.
  • 🏴‍☠️ Lynx has just published a new victim : Encore Leisure Group: Encore Leisure Group
  • 🏴‍☠️ Incransom has just published a new victim : transnova-ruf.de: Transnova-Ruf GmbH from Ansbach develops and builds machines with around 300 employees for the automation of end-of-line packaging and palletizing processes.
  • 🏴‍☠️ Qilin has just published a new victim : Spectra Logic: Spectra Logic, USA – data protection and storage company LMAOOOAHHAHA I’m dead!!! Sorry, but this is really funny.
  • 🏴‍☠️ Qilin has just published a new victim : Ekotrade: EKOTRADE was founded in 1991. It operates on the Polish market and is one of the leaders in the security industry.
  • 🏴‍☠️ Safepay has just published a new victim : waverlychildcare.org: Waverly Child Care & Preschool is a nonprofit early childhood education provider based in Waverly, Iowa, established in 1970.
  • 🏴‍☠️ Radar has just published a new victim : RG ELECTRIC COMPANY INC: R. G. Electric Company, Incorporated, a Virginia-based electrical contractor founded in 1980. Around ~500GB of confidential data.
  • 🏴‍☠️ Radar has just published a new victim : ROBERT G. DASHIELL, JR., P.E., INC: Robert G Dashiell Jr PE Inc is a reputable engineering firm based in Norfolk, VA, specializing in providing professional engineering services.
  • Bulletproof Host Stark Industries Evades EU Sanctions: In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns.