Latest Ransomware News and New File Extensions
-
Akira:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and public disclosure of victims to extort payment. The group details the types of sensitive data stolen, such as personal information (SSNs, passports), financial records, and confidential corporate documents.
- Targets: A diverse range of industries including hospitality (Gurney’s Resorts), defense/engineering (Hood Technology), legal (Cook Brown, Wargo French), and data processing (MMI Direct).
- Decryption Status: No known decryption method mentioned.
- Source: Ransomware Leak Site Monitor (URL not provided).
-
Qilin:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion, focusing on a specific geographic and industrial sector. The attacks are part of a series labeled “Korean Leak2.”
- Targets: Multiple South Korean financial firms, specifically asset management companies.
- Decryption Status: No known decryption method mentioned.
- Source: Ransomware Leak Site Monitor (URL not provided).
-
Incransom:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data theft and extortion via public shaming on their leak site.
- Targets: Various sectors including medical technology (CardioFocus), business services (Cardinal Services), and law firms (lindenlaw.com).
- Decryption Status: No known decryption method mentioned.
- Source: Ransomware Leak Site Monitor (URL not provided).
-
CountLoader (Malware Loader):
- New Encrypted File Extension: Not applicable (this is a loader, not a ransomware strain).
- Attack Methods: Used by Initial Access Brokers (IABs) and ransomware affiliates to deliver secondary payloads, including Cobalt Strike, AdaptixC2, and the PureHVNC RAT.
- Targets: Used in operations by Russian ransomware gangs with ties to groups like LockBit.
- Decryption Status: Not applicable.
- Source: thehackernews.com (URL not provided).
-
ShinyHunters (Extortion Group):
- New Encrypted File Extension: Not applicable (data theft and extortion).
- Attack Methods: Claims to have stolen 1.5 billion Salesforce records by abusing compromised Salesloft Drift OAuth tokens.
- Targets: 760 companies that use Salesforce.
- Decryption Status: Not applicable.
- Source: bleepingcomputer.com (URL not provided).
Observations and Further Recommendations
- Ransomware and extortion groups continue to attack a wide array of industries without discrimination, as seen with Akira’s varied victim list. However, highly targeted campaigns against specific sectors and regions, like Qilin’s focus on South Korean financial firms, are also prevalent.
- The cybercrime ecosystem remains highly specialized, with tools like the CountLoader malware being used by ransomware affiliates to streamline the deployment of post-exploitation tools.
- Data exfiltration is the universal tactic. Groups publicly list stolen data, including employee PII, client information, and financial records, to pressure victims into paying ransoms.
- Given the news of breaches stemming from vulnerabilities (Ivanti, Chrome) and compromised credentials (SonicWall, ShinyHunters), organizations should prioritize multi-factor authentication (MFA), timely patching of all systems, and robust management of third-party application tokens (like OAuth).
News Details
- CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader: Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.
- VC giant Insight Partners warns thousands after ransomware breach: New York-based venture capital and private equity firm Insight Partners is notifying thousands of individuals whose personal information was stolen in a ransomware attack.
- ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks: The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens.
- U.K. Arrests Two Teen Scattered Spider Hackers Linked to August 2024 TfL Cyber Attack: Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency.
- CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization’s network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
- SonicWall Urges Password Resets After Cloud Backup Breach Affecting Under 5% of Customers: SonicWall is urging customers to reset credentials after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts.
- Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions: Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.
- Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine: Cybersecurity researchers have discerned evidence of two Russian hacking groups Gamaredon and Turla collaborating together to target and co-comprise Ukrainian entities.
- 🏴☠️ Akira has just published a new victim : Gurney’s Resorts: Gurneys Montauk Resort & Seawater Spa is a luxury beach hotel located in Montauk, NY, offering 158 rooms, suites, and beachfront cottages with stunning ocean views. We are going to upload 20GB of corporate data.
- 🏴☠️ Qilin has just published a new victim : Broad High Asset Management: Broad High Asset Management Co., Korean Leak2. A private investment fund management company registered with the Financial Services Commission in April 2022.
- 🏴☠️ Incransom has just published a new victim : cardiofocus.com: CardioFocus specializes in offering innovative tools for electrophysiologists to treat atrial fibrillation. Their advanced technologies, including the HeartLight X3 and Centauri System, leverage laser and PFA technology for precise and effective treatment.