Ransomware Update – 2025-09-16

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • KillSec:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, including a supply chain attack targeting a healthcare technology provider.
    • Targets: A Brazilian healthcare software provider, “Allure Clinics,” and property management software “HappyTenant.”
    • Decryption Status: Not specified; the primary focus appears to be on data leakage for extortion.
    • Source: “KillSec Ransomware Hits Brazilian Healthcare Software Provider” (from provided news)

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication on their leak site as part of a multi-victim campaign.
    • Targets: Actively targeting multiple asset management firms in a campaign labeled the “Korean Leak.” Also listed victims in US transportation (Volume Transportation) and healthcare research (TRC Healthcare).
    • Decryption Status: Not specified; focus is on data leakage.
    • Source: Provided Ransomware Activity Feed

  • Coinbasecartel (New Prominent Group):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion targeting high-profile, large-scale corporations.
    • Targets: A wide range of major international companies including SK Telecom (South Korean wireless carrier), Desjardins Group (Canadian banking), NTT Data (global IT services), Plug Power (clean energy), and Ceva Logistics (supply chain management).
    • Decryption Status: Not specified.
    • Source: Provided Ransomware Activity Feed

  • Other Active Groups:

    • Prominent Details: Numerous other ransomware groups including Play, Akira, Incransom, Sarcoma, and Dragonforce were observed publishing new victims from various sectors such as manufacturing, retail, technology, and fashion across North America, Europe, and Asia.
    • Attack Methods: The primary method observed is data exfiltration followed by public naming and shaming on leak sites to pressure victims into paying a ransom.
    • Source: Provided Ransomware Activity Feed

Observations and Further Recommendations

  • A high volume of ransomware activity is reported from numerous distinct groups, indicating a thriving and fragmented cybercrime ecosystem.
  • The dominant tactic is “double extortion,” where threat actors steal sensitive data before encryption (or just steal data) and threaten to leak it if the ransom is not paid. This is evident across nearly all reported incidents.
  • Ransomware groups continue to target a diverse range of global industries, including critical sectors like healthcare, finance, technology, and energy, demonstrating a broad and opportunistic approach.
  • Given the focus on data exfiltration, organizations should prioritize not only perimeter security and vulnerability management but also robust internal security controls, network segmentation, and advanced threat detection capabilities to identify and block data theft in progress.

News Details

  • Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack: Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.
  • Securing the Agentic Era: Introducing Astrix’s AI Agent Control Plane: AI agents are rapidly becoming a core part of the enterprise, being embedded across enterprise workflows, operating with autonomy, and making decisions about which systems to access and how to use them. But as agents grow in power and autonomy, so do the risks and threats.
  • Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds: A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix. The RowHammer attack variant, codenamed Phoenix (CVE-2025-6202, CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the attack.
  • 40 npm Packages Compromised in Supply Chain Attack Using bundle.js to Steal Credentials: Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers.
  • Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs: The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. “The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Force researchers said.
  • 6 Browser-Based Attacks Security Teams Need to Prepare For Right Now: Attacks that target users in their web browsers have seen an unprecedented rise in recent years. In this article, we’ll explore what a “browser-based attack” is, and why they’re proving to be so effective.
  • ⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More: In a world where threats are persistent, the modern CISO’s real job isn’t just to secure technology—it’s to preserve institutional trust and ensure business continuity. This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together.
  • AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads Amid Abuse Concerns: A new artificial intelligence (AI)-powered penetration testing tool linked to a China-based company has attracted nearly 11,000 downloads on the Python Package Index (PyPI) repository, raising concerns that it could be repurposed by cybercriminals for malicious purposes.
  • HiddenGh0st, Winos and kkRAT Exploit SEO, GitHub Pages in Chinese Malware Attacks: Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware.
  • OpenAI’s new GPT-5 Codex model takes on Claude Code: OpenAI is rolling out the GPT-5 Codex model to all Codex instances, including Terminal, IDE extension, and Codex Web (codex.chatgpt.com).
  • Google confirms fraudulent account created in law enforcement portal: Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company.
  • FinWise insider breach impacts 689K American First Finance customers: FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment.
  • New Phoenix attack bypasses Rowhammer defenses in DDR5 memory: Academic researchers have devised a new variant of Rowhammer attacks that bypass the latest protection mechanisms on DDR5 memory chips from SK Hynix.
  • Microsoft: Exchange 2016 and 2019 reach end of support in 30 days: Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers.
  • Microsoft to force install the Microsoft 365 Copilot app in October: Next month, Microsoft will begin automatically installing the Microsoft 365 Copilot app on Windows devices outside of the EEA region that have the Microsoft 365 desktop client apps.
  • Stop waiting on NVD — get real-time vulnerability alerts now: Vulnerabilities are discovered daily—but not every alert matters. SecAlerts pulls from 100+ sources for faster, real-time vuln alerts, filtering the noise so teams can patch quicker and stay secure.
  • Microsoft fixes Windows 11 audio issues confirmed in December: Microsoft has removed a safeguard hold that prevented some users from upgrading their systems to Windows 11 24H2 due to compatibility issues that were causing Bluetooth headsets and speakers to malfunction.
  • Microsoft says Windows September updates break SMBv1 shares: Microsoft has confirmed that the September 2025 Windows security updates are causing connection issues to Server Message Block (SMB) v1 shares.
  • FBI warns of UNC6040, UNC6395 hackers stealing Salesforce data: The FBI has issued a FLASH alert warning that two threat clusters, tracked as UNC6040 and UNC6395, are compromising organizations’ Salesforce environments to steal data and extort victims.
  • Microsoft favors Anthropic over OpenAI for Visual Studio Code: Microsoft is adding automatic AI model selection to its Visual Studio Code editor that will automatically pick the best model for “optimal performance.” This new auto model feature will select between Claude Sonnet 4, GPT-5, GPT-5 mini and other models for GitHub Copilot free users.
  • Nothing plans to launch ‘first AI-native devices next year’: London-based consumer tech startup Nothing has raised $200 million and vowed to usher in a new generation of “AI-native” devices running on operating systems that “are significantly different from the ones today.”
  • Microsoft’s Xbox PC app adds Steam games and access to other stores: Microsoft is rolling out a new aggregated gaming library inside its Xbox PC app today on Windows. The updated app will now list games from Steam, Battle.net, and other PC storefronts.
  • Amazon’s next Prime Day sale is happening on October 7th: Amazon has announced its fall Prime Big Deal Days event. It starts at 12:01AM PT / 3:01AM ET on Tuesday, October 7th, and runs through Wednesday, October 8th.
  • The best Xbox controller to buy right now: We live in a golden age of controllers. The gamepads on the market now are of higher quality, more versatile, and more customizable than anything from even one console generation ago.
  • Here are the best AirPods deals you can get right now: If you know where to look, you can often score discounts on Apple’s ever-expanding AirPods lineup. Both the newer AirPods Max and AirPods 4 (with and without ANC) now consistently receive discounts, as do the latest AirPods Pro with USB-C.
  • Facebook gave our data to Cambridge Analytica and all I got was this $38.36: Remember back in 2023, when we told you how to get your cut of a $725 million class action settlement? A couple of years later, that money is going out.
  • The Supreme Court is Google’s last hope to avoid an Epic reckoning in October: The Ninth Circuit Court of Appeals is done with its role in the Epic Google case, and Google won’t be happy with the result. On Friday, the court completely denied its petition to have its Epic v. Google case re-heard.
  • Meta leaks its new smart glasses with a display: An unlisted and now-removed video from Meta showed off a new pair of Ray-Ban branded smart glasses with a display and a wristband to help control them, as reported by UploadVR.
  • Trump says foreign workers are ‘welcome’ after ICE raid in Georgia targets hundreds of South Koreans: President Donald Trump is trying to smooth things over with South Korea after his administration arrested hundreds of workers at a Hyundai plant in Georgia earlier this month.
  • KillSec Ransomware Hits Brazilian Healthcare Software Provider: The ransomware gang breached a “major element” of the healthcare technology supply chain and stole sensitive patient data, according to researchers.
  • FBI Warns of Threat Actors Hitting Salesforce Customers: The FBI’s IC3 recently warned of two threat actors, UNC6040 and UNC6395, targeting Salesforce customers, separately and in tandem.
  • Building Resilient IT Infrastructure From the Start: CISA’s Secure by Design planted a flag. Now, it’s on those who care about safeguarding systems to pick up the torch and take action to secure systems throughout the enterprise.
  • ‘Lies-in-the-Loop’ Attack Defeats AI Coding Agents: Researchers convince Anthropic’s AI-assisted coding tool to engage in dangerous behavior by lying to it, paving the way for a supply chain attack.
  • 🏴‍☠️ Beast has just published a new victim : Medpeds: MedPeds Associates, located in Sarasota, Florida, specializes in Internal Medicine and Pediatrics with a strong emphasis on preventive care for adults, seniors, and children.
  • 🏴‍☠️ Dragonforce has just published a new victim : Concord New Energy Group: Concord New Energy Group Limited (CNE) specializes in wind and solar power operation. To date, we are the only pure vertical integrated clean energy power company listed on the Hong Kong Stock Exchange.
  • 🏴‍☠️ Killsec has just published a new victim : Allure Clinics: N/A
  • 🏴‍☠️ Sarcoma has just published a new victim : F1-Generation: F1-Generation GmbH is a distributor of internationally renowned fashion brands in the European market, managing over 10 labels. Its product portfolio includes designer lingerie, loungewear, swimwear, hosiery, shapewear, and fashion accessories.
  • 🏴‍☠️ Imncrew has just published a new victim : Jansenfurniture.com: Jansen Furniture is a brand and producer of luxury furniture. It has been family owned since it was founded in 1982 by Peter Andries Jansen.
  • 🏴‍☠️ Warlock has just published a new victim : chroma.com.tw: all data
  • 🏴‍☠️ Play has just published a new victim : RGR Sportswear: Canada
  • 🏴‍☠️ Akira has just published a new victim : CyberData: CyberData Corporation is a leading OEM design and manufacturing firm with more than 40 years of experience. We are going to upload 9GB of corporate data.
  • 🏴‍☠️ Incransom has just published a new victim : Venlogistics: Venlogistics is a European cargo network specializing in various logistics services including groupage, forwarding, and warehousing.
  • 🏴‍☠️ Qilin has just published a new victim : volinc.com: Founded in 1992 and headquartered in Conyers, Georgia, Volume Transportation, Inc. provides ground transportation, cargo loading, warehousing, storage, and material flow management services.
  • 🏴‍☠️ Everest has just published a new victim : MFO ITALIA: “MFO ITALIA” is a niche finance company that specialises in short and medium term loans for Italian-based enterprises.