Ransomware Update – 2025-10-15

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles; the group posts victim data on its leak site.
    • Targets: A wide range of global organizations across multiple sectors, including transportation (All Truck Transportation, Volkswagen Group France), real estate (Charles River Properties), insurance (New Jersey Property-Liability Insurance Guaranty Association), healthcare (UT Health Austin, PQCNC Hospitals), government (City of Riviera Beach, Catawba County Government), manufacturing (Kecy Metal Technologies, Executive Cabinetry), and technology (SICE, SFG Technology). The group has been exceptionally active, listing dozens of victims.
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware group’s announcement feed.

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration followed by public shaming. The group claims to have stolen 24 GB from Art Guild and over 43 GB from Ostrolenk Faber.
    • Targets: Art Guild (a marketing/educational program provider) and Ostrolenk Faber (an intellectual property law firm).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware group’s announcement feed.

  • Interlock:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Claimed exfiltration of over 3 TB of confidential data.
    • Targets: The North Stonington School District.
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware group’s announcement feed.

  • Sarcoma:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Exfiltration of 2.8 TB of files and SQL databases.
    • Targets: Unimed do Brasil (a Brazilian health service center).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware group’s announcement feed.

  • Other Active Groups:

    • Attack Methods: Several other ransomware groups, including Pear, Thegentlemen, Sinobi, Devman, and Incransom, have also announced new victims. Their primary method involves data theft and extortion.
    • Targets: Victims include Navigator Business Solutions (Pear), ICET Studios (Thegentlemen), Ganther Construction (Sinobi), an unnamed embassy in Washington D.C. (Devman), and Bar One Specialty Steel (Incransom).
    • Decryption Status: No known decryption method mentioned for any of these attacks.
    • Source: Ransomware group’s announcement feed.

Observations and Further Recommendations

  • The Qilin ransomware group demonstrated an extremely high level of activity, publishing a vast and diverse list of victims from various industries and geographic locations, including the US, France, Colombia, and Germany. This highlights a widespread and aggressive campaign.
  • The targets are not limited to one sector; victims include public entities (schools, local governments), critical infrastructure (transportation, healthcare), and private businesses of all sizes (law firms, manufacturing, retail).
  • The focus of these announcements is on data exfiltration, with groups often specifying the volume of stolen data to pressure victims into paying the ransom.
  • Given the broad and opportunistic nature of these attacks, organizations across all sectors should prioritize strengthening their security posture. This includes regular patching of systems (as highlighted by Microsoft’s large Patch Tuesday update), employee training to recognize phishing attempts, and implementing robust backup and recovery plans.

News Details

  • Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped: Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program.
  • Two CVSS 10.0 Bugs in Red Lion RTUs Could Hand Hackers Full Industrial Control: Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixnet remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges.
  • Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access: Cybersecurity researchers have disclosed that a critical security flaw impacting ICTBroadcast, an autodialer software from ICT Innovations, has come under active exploitation in the wild.
  • New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login: SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution.
  • Chinese Hackers Exploit ArcGIS Server as Backdoor for Over a Year: Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year.
  • RMPocalypse: Single 8-Byte Write Shatters AMD’s SEV-SNP Confidential Computing: Chipmaker AMD has released fixes to address a security flaw dubbed RMPocalypse that could be exploited to undermine confidential computing guarantees provided by Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP).
  • New Pixnapping Android Flaw Lets Rogue Apps Steal 2FA Codes Without Permissions: Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users’ knowledge pixel-by-pixel.
  • npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels: Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks.
  • Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain: Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns.
  • Malicious crypto-stealing VSCode extensions resurface on OpenVSX: A threat actor called TigerJack is constantly targeting developers with malicious extensions published on Microsoft’s Visual Code (VSCode) marketplace and OpenVSX registry to steal cryptocurrency and plant backdoors.
  • Final Windows 10 Patch Tuesday update rolls out as support ends: In what marks the end of an era, Microsoft has released the Windows 10 KB5066791 cumulative update, the final free update for the operating system as it reaches the end of its support lifecycle.
  • Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws: Today is Microsoft’s October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities. Get patching!
  • 🏴‍☠️ Interlock has just published a new victim : The North Stonington School District: North Stonington Public Schools have two public schools and 736 students, strives to create a safe environment for themselves, their school, and their students. However, their “Safety First” slogan has recently changed!
  • 🏴‍☠️ Pear has just published a new victim : Navigator Business Solutions: Helps companies conquer their industry and business complexity by implementing and supporting the best fit systems and processes.
  • 🏴‍☠️ Sarcoma has just published a new victim : Unimed do Brasil: Unimed do Brasil Unimed Pelotas is a comprehensive health service center located in Pelotas, Brazil, providing a wide range of medical services and assistance. Geo: Brazil – Leak size: 2,8 TB Archive – Contains: Files,SQL.
  • 🏴‍☠️ Qilin has just published a new victim : All Truck Transportation Co., Inc.: All Truck Transportation Co., Inc. is an asset-based carrier offering local and regional truckload transportation solutions. We are headquartered in Chicago, Illinois with a vast network of terminals throughout the Midwest.
  • 🏴‍☠️ Akira has just published a new victim : Art Guild: Art Guild is a full-service provider of face-to-face marketing and educational programs. We are ready to upload 24gb of corporate documents.