Ransomware Update – 2025-10-14

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified in the provided articles; primary tactic appears to be data exfiltration and extortion.
    • Targets: A wide range of sectors including Electric Cooperatives (Karnes Electric, San Bernard Electric), Banking (Bank3), Government (hautsdefrance.fr), and various manufacturing/technology firms in the US, France, Italy, and Norway.
    • Decryption Status: No known public decryptor.
    • Source: Direct announcement from the ransomware group.

  • Medusa:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified in the provided articles.
    • Targets: Diverse industries including Construction (Leprohon), Logistics (LA VOIE EXPRESS), Printing (Design To Print), Petroleum (EcoPetróleo), and Manufacturing (Cemtrex).
    • Decryption Status: No known public decryptor.
    • Source: Direct announcement from the ransomware group.

  • Coinbasecartel:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified in the provided articles.
    • Targets: Primarily focused on the Logistics and Transportation sector (Schedler-translog, PLC-Transportation, dsv.com, Kuehne + Nagel), but also targeting Financial (Borrowell.com), Legal, and Software (Canias ERP) companies.
    • Decryption Status: No known public decryptor.
    • Source: Direct announcement from the ransomware group.

  • Interlock:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration, claiming to have stolen over 3 TB of data.
    • Targets: The Education sector, specifically North Stonington Elementary School in the US.
    • Decryption Status: No known public decryptor.
    • Source: Direct announcement from the ransomware group.

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration, claiming to have stolen 16GB of sensitive corporate data, including employee PII.
    • Targets: IT and Engineering services (Business Integra).
    • Decryption Status: No known public decryptor.
    • Source: Direct announcement from the ransomware group.

  • Clop (via third-party reporting):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploiting a recently disclosed zero-day vulnerability in Oracle’s E-Business Suite servers.
    • Targets: Higher Education (Harvard University).
    • Decryption Status: Not specified in the report.
    • Source: Reported in the news article “Harvard investigating breach linked to Oracle zero-day exploit.”

  • Other Active Groups:

    • Dragonforce, Direwolf, Nova, Alphalocker, Rhysida, Blacknevas, Obscura, Blackshrantac, and Sinobi also announced new victims across sectors like Real Estate, Logistics, Legal, Manufacturing, Healthcare, and local government. Most of these attacks also involved data exfiltration.

Observations and Further Recommendations

  • Ransomware activity remains high, with numerous groups targeting a wide array of sectors globally, including critical infrastructure (utilities, logistics), education, government, and manufacturing.
  • Data exfiltration is a universal tactic used for double extortion. Groups explicitly boast about the volume and sensitivity of stolen data, including employee PII, student records, and corporate financials, to pressure victims into paying.
  • Ransomware gangs are actively exploiting zero-day vulnerabilities in widely used enterprise software. The breach at Harvard, linked to Clop exploiting an Oracle E-Business Suite flaw, highlights the importance of rapid patching.
  • Organizations should prioritize patching critical vulnerabilities, particularly on internet-facing systems. Implementing robust security controls, multi-factor authentication, and maintaining tested, offline backup and recovery plans are essential for resilience.

News Details

  • npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels: Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks.
  • Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain: Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns.
  • ⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More: Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done.
  • Why Unmonitored JavaScript Is Your Biggest Holiday Security Risk: Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing.
  • Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors: Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.
  • Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor: Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving “credible reports” in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users’ devices.
  • Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns: Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns.
  • New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs: Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.
  • New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login: Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.
  • Microsoft restricts IE mode access in Edge after zero-day attacks: Microsoft is restricting access to Internet Explorer mode in Edge browser after learning that hackers are leveraging zero-day exploits in the Chakra JavaScript engine for access to target devices.
  • SimonMed says 1.2 million patients impacted in January data breach: U.S. medical imaging provider SimonMed Imaging is notifying more than 1.2 million individuals of a data breach that exposed their sensitive information.
  • Massive multi-country botnet targets RDP services in the US: A large-scale botnet is targeting Remote Desktop Protocol (RDP) services in the United States from more than 100,000 IP addresses.
  • SonicWall VPN accounts breached using stolen creds in widespread attacks: Researchers warn that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign using stolen, valid credentials.
  • Harvard investigating breach linked to Oracle zero-day exploit: Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site, saying the alleged breach was likely caused by a recently disclosed zero-day vulnerability in Oracle’s E-Business Suite servers.
  • 🏴‍☠️ Medusa has just published a new victim : Leprohon (Image !): Leprohon Inc is a company that operates in the Commercial & Residential Construction industry. It employs 250to499 people and has 25Mto50M of revenue.
  • 🏴‍☠️ Akira has just published a new victim : Business Integra: Business Integra provides solutions for scientific, engineering, information technology, cyber-security, and more. We are ready to upload 16gb of corporate documents.
  • 🏴‍☠️ Qilin has just published a new victim : Bank3: Bank3, USA – it’s a disaster for the clients. Bank3 is a community-driven banking institution offering personal and business banking services, as well as mortgage lending.
  • 🏴‍☠️ Blacknevas has just published a new victim : Undefasa: Ceramicists since 1967We are a family-run business that was established in the heat of the Sierra, and since then Undefasa has made its mark at the heart of Spain’s thriving ceramics industry.
  • 🏴‍☠️ Interlock has just published a new victim : North Stonington Elementary School: North Stonington Public Schools have two public schools and 736 students, strives to create a safe environment for themselves, their school, and their students. However, their “Safety First” slogan has recently changed