Ransomware Update – 2025-10-07

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Medusa Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploitation of a critical deserialization vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT software, attributed to the threat actor Storm-1175.
    • Targets: Organizations using vulnerable versions of Fortra GoAnywhere MFT.
    • Decryption Status: No known decryption method mentioned.
    • Source: Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware

  • Cl0p Ransomware:

    • New Encrypted File Extension: Not specified (primarily a data theft and extortion attack).
    • Attack Methods: Exploitation of a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS) allowing for unauthenticated remote compromise.
    • Targets: Customers using Oracle E-Business Suite.
    • Decryption Status: Not applicable as the primary goal is data theft; Oracle has released an emergency patch.
    • Source: Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882 in Real-World Attacks

  • XWorm Malware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Distributed via phishing campaigns. The malware is highly modular, with over 35 plugins for data theft, and has been updated with a new ransomware module.
    • Targets: General users and organizations targeted via phishing.
    • Decryption Status: No known decryption method mentioned.
    • Source: XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities

  • ShinyHunters (Extortion Group):

    • New Encrypted File Extension: Not applicable (data theft and extortion).
    • Attack Methods: Data breach followed by extortion, leaking stolen customer engagement reports on their data leak site.
    • Targets: Red Hat, Inc.
    • Decryption Status: Not applicable.
    • Source: Red Hat data breach escalates as ShinyHunters joins extortion

  • Various Ransomware & Extortion Groups:

    • New Encrypted File Extension: Not applicable (data leak announcements).
    • Attack Methods: Various undisclosed breach methods resulting in data theft and public extortion via leak sites.
    • Targets: A wide range of global organizations, including Lautrec (Akira), Clifford Paper Inc (Qilin), AES Clean Technology (Play), and The Methodist Church of Southern Africa (Beast).
    • Decryption Status: Not applicable.
    • Source: Ongoing monitoring of various ransomware data leak sites.

Observations and Further Recommendations

  • A primary attack vector for major ransomware campaigns involves the rapid exploitation of zero-day and critical vulnerabilities in widely-used enterprise software. This trend highlights the importance of immediate patching.
  • Malware is becoming increasingly versatile. Tools like XWorm are not just for data theft but are now being equipped with ransomware modules, indicating a move towards multi-purpose malicious software.
  • Data extortion remains a dominant tactic. Groups like ShinyHunters, Akira, and Qilin continue to publicly name and shame victims on leak sites to pressure them into paying ransoms, emphasizing that data protection is as crucial as preventing encryption.
  • Organizations should prioritize robust patch management, especially for internet-facing applications, and maintain comprehensive security awareness programs to defend against phishing, a common initial access method.

News Details

  • New Research: AI Is Already the #1 Data Exfiltration Channel in the Enterprise: For years, security leaders have treated artificial intelligence as an “emerging” technology, something to keep an eye on but not yet mission-critical. A new Enterprise AI and SaaS Data Security Report by AI & Browser Security company LayerX proves just how outdated that mindset has become.
  • XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities: Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts. “XWorm’s modular design is built around a core client and an array of specialized components known as plugins,” Trellix researchers said.
  • 13-Year-Old Redis Flaw Exposed: CVSS 10.0 Vulnerability Lets Attackers Run Code Remotely: Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0.
  • Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware: Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. The vulnerability is CVE-2025-10035 (CVSS score: 10.0).
  • Oracle EBS Under Fire as Cl0p Exploits CVE-2025-61882 in Real-World Attacks: CrowdStrike on Monday said it’s attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025.
  • New Report Links Research Firms BIETA and CIII to China’s MSS Cyber Operations: A Chinese company named the Beijing Institute of Electronics Technology and Application (BIETA) has been assessed to be likely led by the Ministry of State Security (MSS).
  • Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks: Oracle has released an emergency update to address a critical security flaw in its E-Business Suite software that it said has been exploited in the recent wave of Cl0p data theft attacks.
  • Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers: Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group codenamed UAT-8099 that has been attributed to search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.
  • Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files: A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.
  • Red Hat data breach escalates as ShinyHunters joins extortion: Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site.
  • Microsoft: Critical GoAnywhere bug exploited in ransomware attacks: A cybercrime group, tracked as Storm-1175, has been actively exploiting a maximum severity GoAnywhere MFT vulnerability in Medusa ransomware attacks for nearly a month.
  • Redis warns of critical flaw impacting thousands of instances: The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances.
  • XWorm malware resurfaces with ransomware module, over 35 plugins: New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year.
  • Oracle patches EBS zero-day exploited in Clop data theft attacks: Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.
  • Clop Ransomware Hits Oracle Customers Via Zero-Day Flaw: The infamous Clop gang has targeted a wide range of Oracle E-Business Suite customers using a newly disclosed zero-day vulnerability.
  • 🏴‍☠️ Akira has just published a new victim : Lautrec: Lautrec is based out of the United States with an office operating in Alberta, Canada. Lautrec offers new and pre-owned manufactured homes, apartments, townhomes, and RV rental sites. We are ready to upload more than 18GB of there data.
  • 🏴‍☠️ Qilin has just published a new victim : Clifford Paper Inc: Clifford Paper Inc, USA – is a family-owned business with a deep legacy in the forest products industry, operating since 1985. They specialize in providing paper products and value-added services.
  • 🏴‍☠️ Play has just published a new victim : AES Clean Technology: United States
  • 🏴‍☠️ Shinyhunters has just published a new victim : Red Hat, Inc.: Red Hat, Inc. is a leading American multinational software company that provides open-source software products to businesses. It became a subsidiary of IBM in 2019.