Ransomware Update – 2025-09-27

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Fortra GoAnywhere MFT Vulnerability (CVE-2025-10035):

    • New Encrypted File Extension: Not applicable (vulnerability exploitation).
    • Attack Methods: A maximum severity (CVSS 10.0) authentication bypass vulnerability allows remote command injection. The flaw was exploited as a zero-day before public disclosure, with evidence of active exploitation a week prior.
    • Targets: Users of Fortra’s GoAnywhere Managed File Transfer (MFT) software, a solution noted as being favored by ransomware operators.
    • Decryption Status: Not applicable. Patching is critical.
    • Source: https://www.bleepingcomputer.com/news/security/maximum-severity-goanywhere-mft-flaw-exploited-as-zero-day/

  • Scattered Spider:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: The specific methods for this attack were not detailed, but the incident was a cyberattack resulting in significant financial loss.
    • Targets: The Co-operative Group (U.K.).
    • Decryption Status: No known free decryption tool. The attack led to a reported loss of £80 million ($107 million).
    • Source: https://www.bleepingcomputer.com/news/security/co-op-says-it-lost-107-million-after-scattered-spider-attack/

  • Volvo Supplier Attack:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A supply chain ransomware attack targeting a supplier of Volvo.
    • Targets: An unnamed international vehicle supplier, which led to the theft of Social Security Numbers (SSNs) belonging to Volvo employees.
    • Decryption Status: No known free decryption tool. The focus is on data theft.
    • Source: https://www.darkreading.com/cyberattacks-data-breaches/volvo-employee-ssns-stolen-in-supplier-ransomware-attack

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a public leak site.
    • Targets: Multiple international organizations, including Yooshin Engineering Corporation (South Korea), Podo Asset Management (South Korea), WEST Inc. (USA), XC Associates (USA), and others.
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware Leak Site Monitor

  • Dragonforce:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a public leak site.
    • Targets: Various businesses, including Asserson (UK law firm), Rothmann Immobilien (Real Estate), FTCS Forage (France), Memphis Millwork (USA), and Cardinal Machinery (USA).
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware Leak Site Monitor

  • Other Active Groups:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via public leak sites.
    • Targets: A diverse range of victims have been posted by various groups:
      • Pear: Phillips Feldman Group, ComTec Systems.
      • Termite: News-Press & Gazette Co.
      • Thegentlemen: Thai Future Inc. PCL.
      • Spacebears: SOP. Sistema Odontológico Privado (Argentina).
      • Nova: AV Services Barcelona.
    • Decryption Status: No known free decryption tools for these groups.
    • Source: Ransomware Leak Site Monitor

Observations and Further Recommendations

  • High Volume of Activity: Numerous ransomware groups, including Qilin and Dragonforce, are actively publishing new victims, indicating a sustained high tempo of operations.
  • Diverse Industry Targeting: The victims span a wide array of sectors, including engineering, legal, financial services, manufacturing, media, and real estate across multiple continents, showing that no industry is immune.
  • Supply Chain is a Critical Weakness: The Volvo incident highlights the significant risk from supply chain attacks, where a vulnerability in a third-party vendor can directly lead to a data breach at a major corporation.
  • Severe Financial Consequences: The $107 million loss reported by The Co-operative Group following the Scattered Spider attack underscores the catastrophic financial damage ransomware can inflict beyond the ransom payment itself.
  • Vulnerability Exploitation: Threat actors continue to rapidly exploit critical vulnerabilities, such as the zero-day in Fortra’s GoAnywhere MFT, often before patches are widely applied. It is crucial for organizations to have agile patch management processes and prioritize critical vulnerabilities.

News Details

  • Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam: A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.
  • New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks: The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new “lightweight” malware families tracked as BAITSWITCH and SIMPLEFIX.
  • Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure: Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.
  • New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module: Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks.
  • Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware: The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.
  • Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive: Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
  • Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network: The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility.
  • Maximum severity GoAnywhere MFT flaw exploited as zero day: Hackers are actively exploiting a maximum severity vulnerability (CVE-2025-10035) in Fortra’s GoAnywhere MFT that allows injecting commands remotely without authentication.
  • Co-op says it lost $107 million after Scattered Spider attack: The Co-operative Group in the U.K. released its interim financial results report for the first half of 2025 with a massive loss in operating profit of £80 million ($107 million) due to the cyberattack it suffered last April.
  • CISA orders agencies to patch Cisco flaws exploited in zero-day attacks: CISA has issued a new emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against two flaws that have been exploited in zero-day attacks.
  • Volvo Employee SSNs Stolen in Supplier Ransomware Attack: Three international vehicle manufacturers have fallen to supply chain cyberattacks in the past month alone.
  • Iranian State Hackers Use SSL.com Certificates to Sign Malware: Security researchers say multiple threat groups, including Iran’s Charming Kitten APT offshoot Subtle Snail, are deploying malware with code-signing certificates from the Houston-based company.
  • Cisco’s Wave of Actively Exploited Zero-Day Bugs Targets Firewalls, IOS: Patch now: Cisco recently disclosed four actively exploited zero-days affecting millions of devices, including three targeted by a nation-state actor previously discovered to be behind the “ArcaneDoor” campaign.
  • 🏴‍☠️ Qilin has just published a new victim : Yooshin Engineering Corporation: Yooshin Engineering Corporation provides engineering consulting services in South Korea and internationally. It offers various services, including feasibility study, basic and detailed design, construction project management, and post-complet…
  • 🏴‍☠️ Dragonforce has just published a new victim : Asserson: (Clients, counterparties, lobbying, deceit, intimidation, pressure on journalists, and other tactics, as revealed in over half a million documents) Asserson Law Offices is a dynamic and creative law firm based in the UK…
  • 🏴‍☠️ Termite has just published a new victim : News-Press & Gazette Co.: News-Press & Gazette Company publishes daily newspapers and weekly publications. It provides cable, internet, and digital telephone services, as well as commercial printing services…