Ransomware Update – 2025-10-10

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Chaos Ransomware:

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: An upgraded C++ variant includes new encryption methods, destructive wiper capabilities, and cryptocurrency-stealing functions. It operates as a Ransomware-as-a-Service (RaaS).
    • Targets: General targets via its RaaS model; a recent victim includes MSS Solutions.
    • Decryption Status: No known decryption method is available.
    • Source: “Chaos Ransomware Upgrades With Aggressive New C++ Variant” / Ransomlook

  • LockBit and Babuk:

    • New Encrypted File Extension: Not applicable.
    • Attack Methods: Utilizing the legitimate Velociraptor digital forensics and incident response (DFIR) tool to execute attacks, a technique that makes malicious activity harder to detect.
    • Targets: General; specific targets not named in the report.
    • Decryption Status: No known decryption method is available.
    • Source: “Hackers now use Velociraptor DFIR tool in ransomware attacks”

  • Ransomware “Cartel” (LockBit, Qilin, DragonForce):

    • New Encrypted File Extension: Not applicable.
    • Attack Methods: The groups have formed a strategic collaboration to share attack information, tools, and resources, enhancing their collective capabilities.
    • Targets: Broad, with an open invitation for other cybercrime groups to join their alliance.
    • Decryption Status: Not applicable.
    • Source: “LockBit, Qilin & DragonForce Join Forces in Ransomware ‘Cartel’”

  • Other Victim Announcements:

    • Akira: Claimed attacks on Northern Air Systems, SG Ceresco, and Legal & Contingency, allegedly exfiltrating 22GB, 38GB, and 237GB of data, respectively.
    • Qilin: Posted new victims including Uvalde Consolidated Independent School District (USA), Midsun Group, MBS Secure, and the Cameron Hodges law firm.
    • Incransom: Listed Georgetown Brewing Co, NextGen Mold Technologies, Benedict Industries, and Tonga Power as victims.
    • Play: Named Accelerated and Elmer W. Davis as recent targets.
    • Source: Ransomlook victim advisories

Observations and Further Recommendations

  • Ransomware groups are evolving beyond individual operations to form strategic alliances, such as the “cartel” involving LockBit and Qilin, to increase their effectiveness and reach.
  • Attackers are increasingly co-opting legitimate administrative and security tools (a “living-off-the-land” technique), like the Velociraptor DFIR tool, to blend in with normal network activity and evade detection.
  • Malware continues to become more destructive. The new Chaos variant’s inclusion of a wiper function indicates a trend towards causing maximum damage, even if a ransom is not paid.
  • The wide array of victims—spanning education, manufacturing, legal, utilities, and technology—underscores that no industry is safe from ransomware threats. Organizations should prioritize robust security measures, including network segmentation, regular backups, and advanced endpoint detection.

News Details

  • Chaos Ransomware Upgrades With Aggressive New C++ Variant: New encryption, wiper, and cryptocurrency-stealing capabilities make the evolving ransomware-as-a-service operation more dangerous than ever.
  • Hackers now use Velociraptor DFIR tool in ransomware attacks: Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware.
  • LockBit, Qilin & DragonForce Join Forces in Ransomware ‘Cartel’: The three extortion gangs also invited other e-crime attackers to join their collaboration to share attack information and resources, in the wake of LockBit 5.0 being released.
  • 🏴‍☠️ Akira has just published a new victim : Legal & Contingency: Legal & Contingency (L&C) is a leading provider of Legal Indemnity Insurance… We are ready to upload 237gb of corporate documents. Lots of employee personal files (passports, DLs and so son), client information… hearings, police reports, and other confidential files.
  • 🏴‍☠️ Qilin has just published a new victim : www.ucisd.net: Uvalde Consolidated Independent School District, USA – is a public school district based in Uvalde, Texas, US. Located in Uvalde County, the district extends into portions of Zavala and Real counties. It is a progressive, rural school district…