Ransomware Update – 2025-09-22

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data exfiltration and public shaming via their leak site to extort victims.
    • Targets: A diverse range of industries including construction (cegconstruction.com), food production (goodcents.com), research (ZEF, University of Bonn), and national utilities (NV ELMAR, Aruba’s electricity supplier).
    • Decryption Status: No public decryption tool is known to be available.
    • Source: Ransomware Leak Site Publication

  • Incransom Ransomware:

    • New Encrypted File Extension: Not specified in the report.
    • Attack Methods: Data exfiltration and extortion, claiming a 5.7TB data leak and access to sensitive government networks.
    • Targets: Government entities, specifically the Pennsylvania Office of Attorney General.
    • Decryption Status: No public decryption tool is known to be available.
    • Source: Ransomware Leak Site Publication

  • Sarcoma Ransomware:

    • New Encrypted File Extension: Not specified in the report.
    • Attack Methods: Data theft and extortion, claiming to have exfiltrated 2.4 TB of files.
    • Targets: Property management sector (Miami Management).
    • Decryption Status: No public decryption tool is known to be available.
    • Source: Ransomware Leak Site Publication

  • Abyss Ransomware:

    • New Encrypted File Extension: Not specified in the report.
    • Attack Methods: Data exfiltration and extortion via their leak site.
    • Targets: Electronic engineering and design services (optimumdesign.com).
    • Decryption Status: No public decryption tool is known to be available.
    • Source: Ransomware Leak Site Publication

  • Spacebears Group:

    • New Encrypted File Extension: Not specified in the report.
    • Attack Methods: Data exfiltration and extortion, targeting databases, financial documents, and personal information.
    • Targets: Legal sector (Batesky Law Office).
    • Decryption Status: No public decryption tool is known to be available.
    • Source: Ransomware Leak Site Publication

  • DPRK Hackers (BeaverTail Malware):

    • New Encrypted File Extension: Not applicable (malware focused on data theft, not encryption).
    • Attack Methods: Social engineering campaigns using fraudulent job offers (ClickFix lures) in the cryptocurrency sector to deploy BeaverTail and InvisibleFerret malware.
    • Targets: Marketing and trading professionals in cryptocurrency and retail organizations.
    • Decryption Status: Not applicable.
    • Source: News Media Report

  • Killsec Group (Data Leaks):

    • New Encrypted File Extension: Not applicable (data leak/hacktivist group, not ransomware).
    • Attack Methods: Publication of victims on a leak site.
    • Targets: A high volume of diverse entities, including Rainwalk Technology, Fractalite, BEHCA, VTK Legal, AX CAPITAL, and others.
    • Decryption Status: Not applicable.
    • Source: Threat Actor Leak Site Publication

Observations and Further Recommendations

  • Ransomware and extortion groups continue to target a wide array of sectors, from critical infrastructure (utilities) and government agencies to smaller professional services firms, demonstrating that no industry is immune.
  • A critical vulnerability (CVE-2025-55241) in Microsoft Entra ID was patched, which could have allowed attackers to gain Global Administrator privileges across any tenant. This highlights the severe risk posed by identity and access management system flaws.
  • Social engineering, particularly through sophisticated job scams as seen with DPRK-linked actors, remains a highly effective method for initial malware delivery.
  • It is crucial for organizations to prioritize patching critical vulnerabilities, conduct regular user security awareness training to defend against phishing, and maintain immutable backups to ensure resilience against data encryption and extortion tactics.

News Details

  • How to Gain Control of AI Agents and Non-Human Identities: We hear this a lot: “We’ve got hundreds of service accounts and AI agents running in the background. We didn’t create most of them. We don’t know who owns them. How are we supposed to secure them?” Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks
  • Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants: A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant. The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0.
  • DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams: Threat actors with ties to the Democratic People’s Republic of Korea (aka DPRK or North Korea) have been observed leveraging ClickFix-style lures to deliver a known malware called BeaverTail and InvisibleFerret. “The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles,” GitLab
  • Verified Steam game steals streamer’s cancer treatment donations: A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named Block Blasters that drained his cryptocurrency wallet.
  • Microsoft Entra ID flaw allowed hijacking any company’s tenant: A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.
  • Canada dismantles TradeOgre exchange, seizes $40 million in crypto: The Royal Canadian Mounted Police has shut down the TradeOgre cryptocurrency exchange and seized more than $40 million believed to originate from criminal activities.
  • The best fall desk upgrades: Your desk should feel truly yours. If you want a boxed copy of Teenage Mutant Ninja Turtles: Turtles in Time for the Super Nintendo next to your high-end monitor for no reason other than it makes you happy, go for it. However, it’s important to balance fun with function; your desk space needs to be equipped to help you get work done.
  • Apple’s iPhone 17 Pro can be easily scratched: The Achilles heel of the iPhone 17 Pro. The iPhone 17 Pro and 17 Pro Max appear to provide little resistance to scratches and scuffs around the sharp edges of the camera bump. Tech blogger Zack Nelson demonstrates this weakness in a durability test on his JerryRigEverything YouTube channel…
  • Windows 11 is getting a video wallpaper feature: Microsoft has started testing the ability to use video wallpapers on Windows 11. The feature has been spotted in the latest builds of Windows 11, and allows you to set video files like MP4 or MKV as your desktop wallpaper background.
  • Silent Hill F has two killer ingredients: mystery and rage: Even suffused in otherworldly fog, Silent Hill F’s picturesque period setting gleams with authenticity. Traditional hardwood buildings line narrow alleyways, while babbling brooks and small footpaths crisscross soaking paddy fields.
  • The foldable iPhone might look like two iPhone Airs stuck together: While it seems like a foregone conclusion that there will be a foldable iPhone, possibly late next year, there hasn’t been much info about what it would look like. In the latest installment of his Power On newsletter Mark Gurman says he’s being told it will look more or less like two iPhone Airs stuck together. 
  • The touchscreen MacBook rumors are never ending: Analyst Ming-Chi Kuo took to X on Wednesday to claim that a MacBook Pro with an OLED touchscreen was expected to enter mass production by late 2026. Today Bloomberg’s Mark Gurman is following up to remind us that he was reporting on a touchscreen MacBook Pro way back in 2023.
  • Montblanc is getting into the digital notepad game: If you’re the kind of person who owns leather driving gloves in multiple colors to match your different Jaguars, then there hasn’t been a digital paper option that could live up to your lofty luxury standards until now. But Montblanc is finally delivering a truly bougie take on the e-ink writing tablet.
  • A jury will decide if Amazon illegally tricked people into paying for Prime: Amazon is about to face a roughly month-long trial against the US Federal Trade Commission in Seattle to defend its Prime program from claims it tricked tens of millions of customers into signing up for the membership and made it hard to quit.
  • Trump’s H-1B visa fee isn’t just about immigration, it’s about fealty: Donald Trump has never made his distaste for immigrants a secret. It’s been a cornerstone of his political movement since he descended that escalator on June 16th, 2015 and started hurling racist vitriol in the general direction of Mexico and Mexican Americans.
  • Why PlayStation and Xbox are no longer about the station or the box: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on the intersection of gaming and technology, follow Sean Hollister.
  • 🏴‍☠️ Qilin has just published a new victim : cegconstruction.com: CEG Construction is on a path to self-destruction. This company is an industrial contractor based in Southern California that specializes in the construction of concrete warehouses and food processing facilities.
  • 🏴‍☠️ Killsec has just published a new victim : Rainwalk Technology: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Fractalite: N/A
  • 🏴‍☠️ Killsec has just published a new victim : BEHCA: N/A
  • 🏴‍☠️ Killsec has just published a new victim : VTK Legal: N/A
  • 🏴‍☠️ Killsec has just published a new victim : AX CAPITAL: N/A
  • 🏴‍☠️ Killsec has just published a new victim : FDB Collections: N/A
  • 🏴‍☠️ Killsec has just published a new victim : MortDash: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Scanbo: N/A
  • 🏴‍☠️ Killsec has just published a new victim : UwayApply: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Top4Fans: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Cadorim: N/A
  • 🏴‍☠️ Abyss has just published a new victim : optimumdesign.com: Optimum Design Associates specializes in PCB design services, leveraging elite experience and proven methodologies to deliver high-quality electronic engineering solutions.
  • 🏴‍☠️ Spacebears has just published a new victim : Batesky Law Office (BLO): Attorney Richard Batesky has devoted nearly 30 years of his life to helping his clients receive compensation after a car accident, construction site accident, or personal injury due to another person’s negligence.
  • 🏴‍☠️ Sarcoma has just published a new victim : Miami Management: Miami Management, Inc. is a full-service property management company serving the residential, condominium, high-rise, and commercial markets in South Florida. Geo: USA – Leak size: 2,4 TB Archive – Contains: Files
  • 🏴‍☠️ Qilin has just published a new victim : ZEF: ZEF, Germany – Center for Development Research University of Bonn. ZEF conducts interdisciplinary research in the fields of political, economic, and general development.
  • 🏴‍☠️ Incransom has just published a new victim : Pennsylvania Office of Attorney General: Pennsylvania Office of Attorney General is a law enforcement official that protects and serves the agencies of the Commonwealth and citizens of Harrisburg, Pennsylvania. 5.7TB data leak, access to internal network of FBI and more…
  • 🏴‍☠️ Qilin has just published a new victim : goodcents.com: Goodcents, USA – Cheap food outlets are part of Custom Foods Inc., a company that produces frozen dough. The company manufactures a wide range of products, including dough for pizza, bread, cookies, and much more.
  • 🏴‍☠️ Qilin has just published a new victim : NV ELMAR: A blackout in Aruba is only a matter of time. The incompetence and unprofessionalism of NV ELMAR managers — the only electricity supplier on the island — could send the entire island back to the Stone Age.