Ransomware Update – 2025-09-15

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • FBI Warning (UNC6040 and UNC6395):

    • New Encrypted File Extension: Not applicable (focus is on data theft and extortion).
    • Attack Methods: Compromising organizations’ Salesforce environments to exfiltrate data for extortion purposes.
    • Targets: Organizations using Salesforce.
    • Decryption Status: Not applicable.
    • Source: [No URL provided, based on article “FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data”]

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion via a leak site. The group is conducting a targeted campaign named “Korean Leak.”
    • Targets: Diverse global entities, including multiple asset management firms in South Korea, transportation companies (Volume Transportation), healthcare organizations (Therapeutic Research Center), and government entities (Orleans Parish Sheriff’s Office).
    • Decryption Status: No known public decryptor.
    • Source: Ransomware leak site notifications.

  • Incransom Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and publishing victims on a leak site to extort payment.
    • Targets: A wide range of sectors, including major corporations (Xerox, Yamaha Motor Philippines), healthcare (WellLife Network, Conceptions Reproductive Associates), education (Cleveland City School District), and labor unions (UNITE HERE!).
    • Decryption Status: No known public decryptor.
    • Source: Ransomware leak site notifications.

  • Pear Ransomware:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Primarily US-based organizations, including law firms, healthcare providers (Beaumont Bone & Joint Institute), non-profits (Catholic Charities), and educational institutions (Cheyney University).
    • Decryption Status: No known public decryptor.
    • Source: Ransomware leak site notifications.

  • Other Active Groups (Play, Medusa, Medusalocker, Everest, Killsec, Lynx):

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data theft and extortion via public shaming on leak sites.
    • Targets: Various individual organizations across industries, including manufacturing (Baum Precision Machining), energy (usenergy), finance (MFO ITALIA), and luxury goods (Groupe Clarins).
    • Decryption Status: No known public decryptors for recent versions.
    • Source: Ransomware leak site notifications.

Observations and Further Recommendations

  • Ransomware activity remains high, with groups like Qilin, Incransom, and Pear being particularly prolific in announcing victims across diverse and critical sectors.
  • The Qilin group is running a notable targeted campaign, referred to as the “Korean Leak,” specifically naming multiple asset management firms in South Korea.
  • An FBI alert underscores the trend of threat actors targeting cloud platforms like Salesforce for data exfiltration and extortion, which can occur independently of traditional network-wide encryption.
  • Organizations should prioritize securing cloud environments (e.g., Salesforce, Microsoft 365) by enforcing multi-factor authentication (MFA), conducting security audits, and limiting user permissions, in addition to maintaining standard network security protocols.

News Details

  • AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads Amid Abuse Concerns: A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes.
  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks: Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware.
  • FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data: The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.
  • New VoidProxy phishing service targets Microsoft 365, Google accounts: A newly discovered phishing-as-a-service (PhaaS) platform, named VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers such as Okta.
  • AirPods Pro 3 review: tripling down on a good thing: The AirPods Pro 3 are the slam dunk win of this product cycle. The AirPods Pro are about as ubiquitous as earbuds can get.
  • Android’s next flagship processor will be the ‘Snapdragon 8 Elite Gen 5’: Qualcomm has announced that its upcoming flagship mobile chipset is the “Snapdragon 8 Elite Gen 5,” a confusingly named successor to the Snapdragon 8 Elite.
  • Microsoft is changing how Xbox controllers work on Windows 11: Microsoft has started testing a change to how Xbox controllers operate on Windows 11. The change will allow Xbox controllers to easily access the Task View on Windows 11 to tab between apps and games, using the Xbox button.
  • The SSD version of LaCie’s iconic Rugged drive gets a speed boost: Neil Poulton succeeded in elevating the design of external drives two decades ago with the introduction of LaCie’s Rugged line, which features a bright orange bumper to protect data from drops.
  • Apple’s new iPhone charger is a first of its kind: Alongside its new iPhone 17 lineup, Apple casually launched a world’s first last week inside the very dull sounding “Apple 40W Dynamic Power Adapter with 60W Max.”
  • What’s next for Apple after the iPhone 17?: We only just put Apple’s iPhone 17 launch event behind us, but Bloomberg’s Mark Gurman is already glancing into his crystal ball to see what’s next for the company.
  • Rolling Stone’s parent company sues Google over AI Overviews: Penske Media Corporation, the publisher of Rolling Stone and The Hollywood Reporter, has become the first major American media company to sue Google over its AI summaries.
  • The Helldivers community is coping with a spotlight it doesn’t want: “Yesterday was an interesting day for the Helldivers community.” That’s the very obvious understatement that announced the reopening of the Helldivers gaming subreddit in the small hours of Saturday morning.
  • Scarlet turns Shakespeare into an animated fantasy epic: Well, I was wrong, and I did manage to make it to one last day at the Toronto International Film Festival. One of the movies I wanted to see the most this year was Scarlet, the latest from Mamoru Hosoda…
  • In Silksong, spite is my motivation to keep playing: I would not call the time I’m having with Hollow Knight: Silksong “fun,” and yet I’m still playing.
  • 🏴‍☠️ Killsec has just published a new victim : HappyTenant: N/A
  • 🏴‍☠️ Qilin has just published a new victim : volinc.com: Founded in 1992 and headquartered in Conyers, Georgia, Volume Transportation, Inc. provides ground transportation, cargo loading, warehousing, storage, and material flow management services.
  • 🏴‍☠️ Qilin has just published a new victim : trchealthcare.com: The Therapeutic Research Center was founded in 1985 and is headquartered in Stockton, California. The Therapeutic Research Center specializes in studying and evaluating new drugs that are approved for use each year.
  • 🏴‍☠️ Incransom has just published a new victim : CBL-SRL: [email protected]
  • 🏴‍☠️ Play has just published a new victim : Baum Precision Machining: United States
  • 🏴‍☠️ Incransom has just published a new victim : www.roscovision.com: Founded in 1907, Rosco, based in Jamaica, N.Y., is one of North Americas leading suppliers of backup camera systems , mirrors , visors , video recording , sensor products, collision avoidance systems and other visual safety solutions to the worldwide commercial vehicle market.
  • 🏴‍☠️ Incransom has just published a new victim : http://www.hiec.com/: H.I. Executive Consulting is a global executive search firm specializing in the recruitment of Board, CEO, and senior-level executives.
  • 🏴‍☠️ Incransom has just published a new victim : https://heritagegrowth.com/: Founded in 2014, Heritage Growth Partners is a private, family investment office specializing in growth equity investments in collaboration with owner-managers.
  • 🏴‍☠️ Qilin has just published a new victim : Klarman Asset Management: Klarman Asset Management, Korean Leak part 7 – careful investing did not save them from losses.
  • 🏴‍☠️ Qilin has just published a new victim : Human and Bridge Asset Management: Human and Bridge Asset Management, Korean Leak part 8 – another company with evidence of commercial collusion.
  • 🏴‍☠️ Qilin has just published a new victim : Awesome Asset Management Co: Awesome Asset Management Co., Korean Leak part 9 – Safe First, Benefit Second. But only on paper.
  • 🏴‍☠️ Qilin has just published a new victim : Pollex Asset Management Co.: Pollex Asset Management Co., Korean Leak part 10 – The Company operates in the financial market.
  • 🏴‍☠️ Everest has just published a new victim : MFO ITALIA: [AI generated] “MFO ITALIA” is a niche finance company that specialises in short and medium term loans for Italian-based enterprises.
  • 🏴‍☠️ Everest has just published a new victim : Key 4 Energy Srl: [AI generated] Key 4 Energy Srl is an Italy-based company specializing in the optimization of energy resources.
  • 🏴‍☠️ Everest has just published a new victim : Studio Legale Tisot Iuris: [AI generated] “N/A”
  • 🏴‍☠️ Everest has just published a new victim : Professional Trust Company: [AI generated] N/A
  • 🏴‍☠️ Qilin has just published a new victim : VANCHOR Asset Management: VANCHOR Asset Management, Korean Leak part 1. – The company operates in the stock market and provides and manages products based on alternative investment assets…
  • 🏴‍☠️ Qilin has just published a new victim : APEX Asset Management: APEX Asset Management, Korean Leak part 2 – The company operates on the stock market in the field of private equity.
  • 🏴‍☠️ Medusalocker has just published a new victim : usenergy: Price-$120000 (sale in one hand there are options for making a profit from these files will be included in the deal)
  • 🏴‍☠️ Everest has just published a new victim : Groupe Clarins: [AI generated] Groupe Clarins is a French luxury cosmetics company, which develops skincare, makeup and fragrances products.
  • 🏴‍☠️ Lynx has just published a new victim : olarra: Olarra is specialized in long products manufacturing. Olarra is a leaflet martensitic and ferritic steels can be found, but the essential part of their production is based on austenitic steels.
  • 🏴‍☠️ Incransom has just published a new victim : Xerox: Xerox Corporation provides document management solutions worldwide. The company’s Document Technology segment offers desktop monochrome and color printers, multifunction printers, copiers, digital printing presses, and light production devices…
  • 🏴‍☠️ Pear has just published a new victim : Reynolds & Reynolds: Leading provider of automotive retailing solutions that help manage and improve dealership
  • 🏴‍☠️ Incransom has just published a new victim : UNITE HERE!: UNITE HERE is a labor union in the United States and Canada with roughly 300,000 active members.
  • 🏴‍☠️ Medusa has just published a new victim : Cariri: The Institute was established in 1970 as an initiative of the Government of Trinidad and Tobago with financial and technical support from the United Nations Development Programme (UNDP) and United Nations Industrial Development Organization (UNIDO).