Ransomware Update – 2025-09-14

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • UNC6040 and UNC6395 (Data Extortion Groups):

    • New Encrypted File Extension: Not applicable (data theft)
    • Attack Methods: Targeting and compromising Salesforce cloud platforms to conduct data theft and extortion.
    • Targets: Organizations that utilize Salesforce.
    • Decryption Status: Not applicable as the primary goal is data theft, not encryption.
    • Source: URL not provided.

  • HybridPetya:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Bypasses UEFI Secure Boot to install a malicious application on the EFI System Partition, enabling persistent and deep-level system compromise.
    • Targets: General users and organizations with systems using UEFI.
    • Decryption Status: No known method mentioned.
    • Source: URL not provided.

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication of victims on their leak site.
    • Targets: Hanzestrohm (Dutch technical products group) and BRIGHT SYSTEM JAPAN CO., LTD (Japanese IT infrastructure company in Thailand).
    • Decryption Status: Not applicable (leak site post).
    • Source: URL not provided.

  • Medusa:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion; claims to have leaked 678.3 GB of data.
    • Targets: Cariri (Caribbean Industrial Research Institute).
    • Decryption Status: Not applicable (leak site post).
    • Source: URL not provided.

  • Datacarry:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication of victims on their leak site.
    • Targets: Miljödata (Swedish environmental monitoring systems company).
    • Decryption Status: Not applicable (leak site post).
    • Source: URL not provided.

  • Safepay:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication of victims on their leak site.
    • Targets: Halbar Stainless Products Ltd. (manufacturing), the City of Middletown, Ohio (government), and Osage County District Court, Kansas (legal).
    • Decryption Status: Not applicable (leak site post).
    • Source: URL not provided.

Observations and Further Recommendations

  • Ransomware and data extortion groups remain highly active, targeting a diverse range of sectors globally, including government, legal, IT, and industrial entities.
  • A notable trend is the increasing technical sophistication of malware, with the new HybridPetya ransomware capable of bypassing fundamental security features like UEFI Secure Boot.
  • Attackers are also focusing on enterprise cloud services, as shown by the FBI’s warning about groups targeting Salesforce platforms for data theft.
  • Organizations should prioritize securing cloud configurations, implementing advanced endpoint protection, and maintaining regular, isolated data backups to mitigate these evolving threats.

News Details

  • FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks: The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. “Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms,” the FBI said.
  • New HybridPetya ransomware can bypass UEFI Secure Boot: A recently discovered ransomware strain called HybridPetya can bypass the UEFI Secure Boot feature to install a malicious application on the EFI System Partition.
  • French Advisory Sheds Light on Apple Spyware Activity: CERT-FR’s advisory follows last month’s disclosure of a zero-day flaw Apple said was used in “sophisticated” attacks against targeted individuals.
  • 🏴‍☠️ Incransom has just published a new victim : Hanzestrohm: Hanzestrohm is a group of companies offering specialist products and services from a technical brand portfolio. The Hanzestrohm companies have in-depth know-how in the fields of building solutions, industrial solutions and infrastructure solutions.
  • 🏴‍☠️ Medusa has just published a new victim : Cariri: The Institute was established in 1970 as an initiative of the Government of Trinidad and Tobago with financial and technical support from the United Nations Development Programme (UNDP) and United Nations Industrial Development Organization (UNIDO). […] The total amount of data leakage is 678.3 GB
  • 🏴‍☠️ Incransom has just published a new victim : BRIGHT SYSTEM JAPAN CO., LTD: BRIGHT SYSTEM JAPAN CO., LTD. will support the IT infrastructure of Japanese corporations in Thailand. Currently, many Japanese corporations are expanding their business in Thailand. Therefore, we will not protect your data well, and it will be successfully leaked.
  • 🏴‍☠️ Datacarry has just published a new victim : Miljödata: [AI generated] Miljödata, based in Sweden, specializes in developing systems to monitor environment quality. Their products are used in studying environmental changes within aspects like groundwater, surface water, air, and precipitation.
  • 🏴‍☠️ Safepay has just published a new victim : halbarstainless.com: Halbar Stainless Products Ltd., founded in 1974 by Cliff Baird, is a family-owned custom metal fabrication company specializing in stainless …
  • 🏴‍☠️ Safepay has just published a new victim : cityofmiddletown.org: The City of Middletown, located in Ohio, United States, operates as a municipal government dedicated to providing essential services and …
  • 🏴‍☠️ Safepay has just published a new victim : osdcourtks.org: The domain osdcourtks.org appears to belong to the Osage County District Court in Kansas. As part of Kansas’s Fourth Judicial …