Latest Ransomware News and New File Extensions
-
General Ransomware Attack:
- New Encrypted File Extension: Not specified.
- Attack Methods: A targeted attack on check-in and boarding systems, leading to operational disruptions.
- Targets: Multiple major European airports.
- Decryption Status: Not specified.
- Source: News article titled “Airport disruptions in Europe caused by a ransomware attack”
-
Play Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via a public leak site.
- Targets: Numerous entities, primarily in the United States (Takeuchi US, DHM Properties, Vcinity, GrammaTech, etc.), but also in New Zealand (Agility CIS) and Canada (Ronco Safety).
- Decryption Status: No known free decryption tool.
- Source: Ransomware activity feeds
-
Qilin Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via a public leak site.
- Targets: An international mix of companies including APM Finance GmbH (Germany), MEDUANE HABITAT (France), Chris Rodriguez Installers (USA), and Chinup Technology Co. (Taiwan).
- Decryption Status: No known free decryption tool.
- Source: Ransomware activity feeds
-
Worldleaks Group:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via a public leak site.
- Targets: Multiple U.S. organizations, including Pyramid Global Hospitality, Washington Prime Group Inc, Mavis Tire Supply, Sapp Bros, KIPP DC, and Madison Healthcare Services.
- Decryption Status: No known free decryption tool.
- Source: Ransomware activity feeds
-
Incransom Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via a public leak site.
- Targets: Speed Art Museum (USA), P&P Industries (USA), and CPK Interior (Canada).
- Decryption Status: No known free decryption tool.
- Source: Ransomware activity feeds
-
Rhysida Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via a public leak site.
- Targets: The Maryland Department of Transportation.
- Decryption Status: No known free decryption tool.
- Source: Ransomware activity feeds
Observations and Further Recommendations
- Ransomware activity continues at a high volume, with numerous groups actively leaking data from a wide variety of global industries, including government, transportation, hospitality, finance, and manufacturing.
- The dominant strategy remains double extortion, where attackers steal sensitive data before encryption and threaten to publish it to pressure victims into paying the ransom.
- The attack on European airports underscores the significant, real-world disruption ransomware can inflict on critical infrastructure and public services.
- It is crucial for organizations to implement fundamental cybersecurity measures, including timely patching of vulnerabilities, enforcement of multi-factor authentication (MFA), network segmentation, and maintaining offline backups.
News Details
- Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials: Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
- State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability: Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity.
- Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security: Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image.
- Eurojust Arrests 5 in €100M Cryptocurrency Investment Fraud Spanning 23 Countries: Law enforcement authorities in Europe have arrested five suspects in connection with an “elaborate” online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain.
- U.S. Secret Service Seizes 300 SIM Servers, 100K Cards Threatening U.S. Officials Near UN: The U.S. Secret Service on Tuesday said it took down a network of electronic devices located across the New York tri-state area that were used to threaten U.S. government officials and posed an imminent threat to national security.
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw: SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability is tracked as CVE-2025-26399 (CVSS score: 9.8).
- ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service: Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest. The ShadowV2 botnet predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers.
- GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security: GitHub on Monday announced that it will be changing its authentication and publishing options “in the near future” in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack.
- BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells: Cybersecurity researchers are calling attention to a search engine optimization (SEO) poisoning campaign likely undertaken by a Chinese-speaking threat actor using a malware called BadIIS in attacks targeting East and Southeast Asia, particularly with a focus on Vietnam.
- Boyd Gaming discloses data breach after suffering a cyberattack: US gaming and casino operator Boyd Gaming Corporation disclosed it suffered a breach after threat actors gained access to its systems and stole data, including employee information and data belonging to a limited number of other individuals.
- Airport disruptions in Europe caused by a ransomware attack: The disruptions over the weekend at several major European airports were caused by a ransomware attack targeting the check-in and boarding systems.
- Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms: U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims.
- 🏴☠️ Rhysida has just published a new victim : The Maryland Department of Transportation: The Maryland Department of Transportation
- 🏴☠️ Qilin has just published a new victim : www.apm-finance.de: APM Finance GmbH, Germany specializes in outsourced accounting services specifically designed for the automotive industry.
- 🏴☠️ Akira has just published a new victim : Alexander Bürkle: Alexander Bürkle is a technology service provider & electrotechnical products retail seller that is headquartered in Germany. We are going to upload corporate data. Employees personal information, financials, customers information, NDAs, etc.
- 🏴☠️ Sarcoma has just published a new victim : Thermofin: Thermofin GmbH specializes in innovative and high-performance cooling solutions for various industries, including industrial refrigeration and air conditioning. Geo: Germany – Leak size: 2.9 TB Archive – Contains: Files, SQL, Exchange.
- 🏴☠️ Play has just published a new victim : Takeuchi US: United States