Ransomware Update – 2025-09-20

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • MalTerminal (AI-Powered Malware):

    • New Encrypted File Extension: Not applicable; this is a malware creation tool.
    • Attack Methods: A newly discovered malware that utilizes Large Language Model (LLM) capabilities, such as GPT-4, to generate its own malicious code, including ransomware and reverse shells.
    • Targets: Not specified; it’s a tool that can be used by threat actors against various targets.
    • Decryption Status: Not applicable.
    • Source: Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell

  • Akira:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data theft and public extortion via their leak site. Claims to have exfiltrated sensitive corporate and personal data.
    • Targets: Multiple organizations across various sectors, including KCI Telecommunications, Jones Soda (beverages), Ross, Brittain & Schonberg (legal), Gurney’s Resorts (hospitality), Hood Technology (engineering), Ronald A/S (import), Cook Brown (legal), MMI Direct (data processing), Intellect Systems (tech/resources), and Wargo French (legal).
    • Decryption Status: No known free tool; these are extortion notices.
    • Source: Ransomware leak site announcements for the listed victims.

  • Qilin:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data theft and extortion.
    • Targets: Promociones Luis Barros (construction) and EUM Asset Management (financial services).
    • Decryption Status: No known free tool; these are extortion notices.
    • Source: Ransomware leak site announcements for the listed victims.

  • Embargo:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data exfiltration (claimed 2 TB) and extortion.
    • Targets: USA DeBusk (industrial cleaning services).
    • Decryption Status: No known free tool; these are extortion notices.
    • Source: 🏴‍☠️ Embargo has just published a new victim : usadebusk.com

  • Other Active Groups (Play, Anubis, Obscura, Incransom, etc.):

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data theft and public extortion are the primary methods indicated by the leak site posts.
    • Targets: A diverse range of entities including:
      • Play: United Machine (USA)
      • Anubis: Alan Shintani, Inc. (construction/government facilities)
      • Obscura: EAST Design Architect Sdn. Bhd (design) and Espectral (tech equipment)
      • Incransom: cardiofocus.com (medical technology)
      • Kairos: Heidelberg Golf Club (Australia)
      • Securotrop: Mitrani Rynor Adamsky & Toland (legal)
      • Worldleaks: Legend Senior Living, ACRO Automation Systems, City Wide (building maintenance)
      • Pear: Dubroff, Easley & Lovell, LLP (legal) and Tri-Century Eye Care
    • Decryption Status: No known free tool; these are extortion notices.
    • Source: Ransomware leak site announcements for the listed victims.

Observations and Further Recommendations

  • Ransomware groups continue to operate with high frequency, targeting a wide array of industries including legal, technology, finance, manufacturing, hospitality, and healthcare. The Akira ransomware group appears particularly active based on the number of recent victims announced.
  • The primary tactic observed is data exfiltration followed by extortion, threatening to leak sensitive corporate, employee, and client data if the ransom is not paid.
  • A significant new development is the discovery of “MalTerminal,” a malware that uses AI (LLMs) to generate ransomware on the fly. This indicates a trend towards more sophisticated and automated malware creation, potentially lowering the barrier for less-skilled actors and increasing the novelty of attacks.
  • To mitigate risks, organizations should prioritize robust security measures, including regular data backups (stored offline and tested), multi-factor authentication (MFA) on all critical accounts, timely patching of software vulnerabilities, and employee training on phishing and social engineering awareness.

News Details

  • LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer: LastPass is warning of an ongoing, widespread information stealer campaign targeting Apple macOS users through fake GitHub repositories that distribute malware-laced programs masquerading as legitimate tools.
  • Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell: Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities. The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team.
  • ShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent: Cybersecurity researchers have disclosed a zero-click flaw in OpenAI ChatGPT’s Deep Research agent that could allow an attacker to leak sensitive Gmail inbox data with a single crafted email without any user action.
  • UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware: An Iran-nexus cyber espionage group known as UNC1549 has been attributed to a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations as part of a recruitment-themed activity on LinkedIn.
  • SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers: A proxy network known as REM Proxy is powered by malware known as SystemBC, offering about 80% of the botnet to its users, according to new findings from the Black Lotus Labs team at Lumen Technologies.
  • Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability: Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity.
  • 17,500 Phishing Domains Target 316 Brands Across 74 Countries in Global PhaaS Surge: The phishing-as-a-service (PhaaS) offering known as Lighthouse and Lucid has been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries.
  • How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines: Run by the team at workflow orchestration and AI platform Tines, the Tines library features over 1,000 pre-built workflows shared by security practitioners from across the community – all free to import and deploy through the platform’s Community Edition.
  • Russian Hackers Gamaredon and Turla Collaborate to Deploy Kazuar Backdoor in Ukraine: Cybersecurity researchers have discerned evidence of two Russian hacking groups Gamaredon and Turla collaborating together to target and co-comprise Ukrainian entities.
  • U.K. Arrests Two Teen Scattered Spider Hackers Linked to August 2024 TfL Cyber Attack: Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency.
  • CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization’s network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
  • Microsoft starts rolling out Gaming Copilot on Windows 11 PCs: Microsoft has begun rolling out the beta version of its AI-powered Gaming Copilot to Windows 11 systems for users aged 18 or older, excluding those in mainland China. […]
  • FBI warns of cybercriminals using fake FBI crime reporting portals: The FBI warned today that cybercriminals are impersonating its Internet Crime Complaint Center (IC3) website in what the law enforcement agency described as “possible malicious activity.” […]
  • CISA exposes malware kits deployed in Ivanti EPMM attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). […]
  • Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet: Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT’s License Servlet that can be exploited in command injection attacks. […]
  • Known. Emerging. Unstoppable? Ransomware Attacks Still Evade Defenses: Ransomware remains one of the most destructive threats—because defenses keep failing. Picus Blue Report 2025 shows prevention dropped to 62%, while data exfiltration prevention collapsed to just 3%. […]
  • Steam will stop running on Windows 32-bit in January 2026: Valve has announced that its Steam digital distribution service will drop support for 32-bit versions of Windows starting January 2026. […]
  • OpenAI’s $4 GPT Go plan may expand to more regions: .OpenAI released $4 GPT Go in August, but it was limited to just India. Now, OpenAI is expanding GPT Go to include new regions. […]
  • ChatGPT Search is now smarter as OpenAI takes on Google Search: OpenAI has rolled out a big update to ChatGPT Search, which is an AI-powered search feature, similar to Google AI Mode. […]
  • ChatGPT now gives you greater control over GPT-5 Thinking model: OpenAI is finally rolling out a toggle that allows you to decide how hard the GPT-5-thinking model can think. This feature is rolling out to Plus and Pro subscribers. […]
  • Anker’s latest sleep buds can silence snoring: Anker’s Soundcore Sleep A30 earbuds. Anker’s latest Soundcore Sleep A30 sleep buds do what its A20 buds promised but couldn’t deliver: mask snoring. It accomplishes this with the inclusion of Active Noise Cancellation in the buds and a microphone inside the charging case that actively adjusts masking audio to cancel out the sound of sawing logs.
  • Trump claims the US is about to get a tremendous fee for taking TikTok out of China: A 10 percent stake in Intel, 15 percent of Nvidia’s China sales, a “golden share” of Nippon Steel — what price will Trump extract next in exchange for favorable treatment? Well, The Wall Street Journal is reporting that the Trump Administration is “expected to collect a multibillion-dollar fee” in exchange for negotiating a US takeover of TikTok’s US business.
  • Windows 11 is adding another Copilot button nobody asked for: Have enough Copilot buttons in your life? No you don’t — have another one! This one pops up in the latest Windows 11 Insider Preview when mousing over an open app in your taskbar; it lets you share the contents with Copilot Vision.
  • Ex-Disney CEO Michael Eisner calls the FCC’s threats ‘out-of-control intimidation’: Michael Eisner, Disney’s former CEO who ran the company for 21 years and oversaw its acquisition of ABC in 1995, does not think his successor, Bob Iger, made the right decision in moving to put Jimmy Kimmel Live! on indefinite pause following threats from Trump-appointed FCC chairman Brendan Carr.
  • Microsoft is raising prices on Xbox consoles in the US again: Microsoft is raising the prices of its Xbox Series S / X consoles in the US next month. The Xbox Series X will be priced at $649.99 in the US starting October 3rd, up from its existing $599.99 price. The Xbox Series S will move to $399.99, up from $379.99.
  • I know why Mark Zuckerberg risked live demo failure: Mark Zuckerberg, Meta CEO. | Photo: Bloomberg via Getty Images ​​On Wednesday evening, I had a profound sense of déjà vu. When I watched Mark Zuckerberg open his Meta Connect keynote by giving the world a live backstage tour from his new glasses, I was transported back to 2012.
  • It’s new iPhone day, so grab some screen protectors for just $4.49: amFilm’s OneTouch screen protectors start at $4.49. Happy iPhone Day! If you’re picking up the new iPhone 17 or iPhone Air and want to avoid scratches or cracks on its front glass, we spotted a great deal on a two-pack of amFilm’s OneTouch screen protectors over at Slickdeals.
  • Ugreen’s new super slim wallet tracker has 5 years of battery life: Ugreen has released a new wallet tracker that’s just as thin as the FineTrack Slim Smart Finder the company debuted earlier this year, but with a massive boost in battery life from 12 months to five years.
  • So… is there a TikTok deal or not?: China and the US have “made progress” on granting permission for ByteDance to sell TikTok to an American consortium, fulfilling a nine-months-overdue legal requirement. After saying a tentative deal had been reached Monday and that approval would come Friday, President Donald Trump’s administration has issued an update that leaves the current status ambiguous and the details bare-bones.
  • MAGA influencers are already fighting over Charlie Kirk’s death: Nick Fuentes, the leader of a Christian based extremist white nationalist group speaks to his followers, ‘the Groypers.’ in Washington D.C. on November 14, 2020. The only true surprise about this latest MAGA influencer civil war is how quickly it happened, given the circumstances: Charlie Kirk, an ubiquitous presence, influential political force, and seemingly everyone’s best friend, had been dead for barely a week before everyone began fighting each other for a piece of him.
  • Patch Now: Max-Severity Fortra GoAnywhere Bug Allows Command Injection: Exploitation of the flaw, tracked as CVE-2025-10035, is highly dependent on whether systems are exposed to the Internet, according to Fortra.
  • Capture the Flag Competition Leads to Cybersecurity Career: As Splunk celebrates the 10th anniversary of Boss of the SOC competition, it continues to be a valuable platform for security professionals to test their skills, learn new techniques, and potentially advance their careers in cybersecurity.
  • ‘ShadowLeak’ ChatGPT Attack Allows Hackers to Invisibly Steal Emails: The loophole allows cyberattackers to exfiltrate company data via OpenAI’s infrastructure, leaving no trace at all on enterprise systems.
  • Iranian State APT Blitzes Telcos & Satellite Companies: A Charming Kitten subgroup is performing some of the most bespoke cyberattacks ever witnessed in the wild, to down select high-value targets.
  • SonicWall Breached, Firewall Backup Data Exposed: Threat actors breached the MySonicWall service and accessed backup firewall configuration files belonging to “fewer than 5%” of its install base, according to the company.
  • 🏴‍☠️ Embargo has just published a new victim : usadebusk.com: USA DeBusk provides a comprehensive suite of industrial cleaning and infrastructure maintenance services to a diverse, blue-chip customer base across a broad r… – 2 TB including Contracts, Client Data, Employee Private Data, Incident Reports, and more
  • 🏴‍☠️ Qilin has just published a new victim : Promociones Luis Barros: Promociones Luis Barros is a Galician family firm specializing in the construction and promotion of luxury residences in southern Pontevedra. They offer high-end housing solutions, including custom-built homes, catering to discerning client…
  • 🏴‍☠️ Play has just published a new victim : United Machine: United States
  • 🏴‍☠️ Anubis has just published a new victim : Alan Shintani, Inc: Photos and blueprints of government facilities.
  • 🏴‍☠️ Qilin has just published a new victim : EUM Asset Management: EUM Asset Management, Korean Leak2. Company claims that customer trust is their top priority. Well, they have lost that trust. The Seoul-based asset management company focuses primarily on private equity funds. They also deal in stocks, bonds…
  • 🏴‍☠️ Akira has just published a new victim : KCI Telecommunications: KCI provides support services and turn-key solutions focused on exceeding their client’s Network, Resources Management and legacy support needs. We are going to upload corporate data. A lot of personal information of employees (DOB, address, emails, DL numbers, phones and so on), confidential files, payment details, numerous contracts and agreements, financials, customer information, NDAs, etc.
  • 🏴‍☠️ Akira has just published a new victim : Jones Soda (Stock Symbol: JSDA): Jones Soda Co.® (CSE: JSDA, OTCQB: JSDA) is a leading craft soda manufacturer with a growing line of cannabis products. We are going to upload 66gb corporate data. Employee information (complete name, DOB, address, emails, phones, SSNs and so on), financials, payment details, credit cards details, numerous contracts and agreements (with PepsiCo and others), NDAs, etc.
  • 🏴‍☠️ Akira has just published a new victim : About Ross, Brittain& Schonberg Co., Lpa: Ross, Brittain & Schonberg specializes in Labor Law, Employment Law, Workers’ Compensation, and OSHA matters, representing management across various sectors. We are going to upload 66gb corporate data. Lots of legal files (police reports, hearings protocols and others), clients and employees documents and other personal information (Full names, DOB, address, emails, phones, SSNs, DLs and so on), financials, NDAs, etc. Very interesting data.
  • 🏴‍☠️ Obscura has just published a new victim : EAST Design Architect Sdn. Bhd: Design agency in Malaysia, Penang
  • 🏴‍☠️ Obscura has just published a new victim : Espectral: Espectral specializes in providing testing and measurement equipment, focusing on sectors such as telecommunications, finance, healthcare, and education. Their product offerings include calibration services for various parameters, general electronics, and advanced testing equipment for protocols like PCI Express and USB.
  • 🏴‍☠️ Incransom has just published a new victim : cardiofocus.com: CardioFocus specializes in offering innovative tools for electrophysiologists to treat atrial fibrillation. Their advanced technologies, including the HeartLight X3 and Centauri System, leverage laser and PFA technology for precise and effective treatment.
  • 🏴‍☠️ Kairos has just published a new victim : heidelberggc.com.au/Australia/26.4GB: Unknown – Heidelberg Golf Club
  • 🏴‍☠️ Securotrop has just published a new victim : Mitrani Rynor Adamsky & Toland: Status: AWAITING Size: 2960 GB
  • 🏴‍☠️ Akira has just published a new victim : Gurney’s Resorts: Gurneys Montauk Resort & Seawater Spa is a luxury beach hotel located in Montauk, NY, offering 158 rooms, suites, and beachfront cottages with stunning ocean views. We are going to upload 20GB of corporate data. Employees’ personal information, client information, finance and accounting files, NDAs, etc.
  • 🏴‍☠️ Akira has just published a new victim : Hood Technology: Hood Technology Corp is an engineering-oriented company based in Hood River, Oregon, specializing in the development of stabilized gimbals for both manned and unmanned vehicles. We are going to upload corporate data. Lots of project files with drawings and specifications, contracts with sound names like Ferrari, Toshiba, MAN, Siemens, Apex and other companies.
  • 🏴‍☠️ Akira has just published a new victim : Ronald A/S: Ronald A/S is an import company with 100 years of experience specializing in unique FMCG solutions within the nonfood sector. We are going to upload 320gb corporate data. Detailed employee information (Passport scans and other personal documents), lots of HR data, contracts and agreements, payment details, customer information, NDAs, etc.
  • 🏴‍☠️ Akira has just published a new victim : Cook Brown: Cook Brown LLP specializes in labor and employment law, providing comprehensive legal representation to employers in areas such as litigation, claims settlement, and labor relations. We are going to upload 160gb corporate data. Lots of client data where you can find at least 100 SSNs and other personal information, employee files, police reports, court documents, medical information, HR data, etc.
  • 🏴‍☠️ Akira has just published a new victim : MMI Direct: MMI Direct is a leading data processor that specializes in providing services like NCOA, PCOA, analytics, list fulfillment, merge purge, and data append to nonprofits, businesses, and government clients. We are going to upload 116gb corporate data. Employee files (Passports, DLs, birth and death certificates, interviews and other personal documents), medical information, HR data, contracts and agreements, etc.
  • 🏴‍☠️ Akira has just published a new victim : Intellect Systems: Intellect Systems provides solutions to the domestic and international resource, infrastructure, oil and gas, utilities and manufacturing markets. We are going to upload 10gb corporate data. Lots of employee information (passports, DLs, medical information, death and birth certificates), confidentiality agreements, contracts, financial information, project information and other files.
  • 🏴‍☠️ Akira has just published a new victim : Wargo French: Wargo French Singer is a full-service law firm with offices in Atlanta, Los Angeles and Miami. We are going to upload 11gb corporate data. Lots of client information (DOB, address, emails, phone and so on), lots of confidential files, contracts and agreements with Coca-cola and other big names, financial information, projects and other files.
  • 🏴‍☠️ Worldleaks has just published a new victim : Legend Senior Living: [AI generated] Legend Senior Living is an American-based, family-owned and operated company that provides quality elderly care across its facilities. They offer a variety of services from independent living, assisted living to memory care.
  • 🏴‍☠️ Worldleaks has just published a new victim : ACRO Automation Systems: [AI generated] ACRO Automation Systems is a company that designs and creates unique automation processes to help businesses improve their operational efficiencies. They specialize in providing state-of-the-art automated solutions to a wide range of industries.
  • 🏴‍☠️ Worldleaks has just published a new victim : City Wide: [AI generated] City Wide is a leading management company in the building maintenance industry. They offer comprehensive solutions spanning over 20 interior and exterior services for commercial properties.
  • 🏴‍☠️ Pear has just published a new victim : Dubroff, Easley & Lovell, LLP: Attorney service in family law
  • 🏴‍☠️ Pear has just published a new victim : Tri-Century Eye Care: Ophthalmologists and optometrists provide comprehensive and sub-specialty eye care across patients of all ages