Ransomware Update – 2025-10-18

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Rhysida:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A recent campaign involved using over 200 fraudulently signed certificates to sign malicious binaries, particularly fake Microsoft Teams setup files. This method was used to deliver the Oyster backdoor, which then deployed the Rhysida ransomware.
    • Targets: The certificate-abusing campaign was disrupted by Microsoft. However, Rhysida’s leak site recently listed new victims from the healthcare (Hematology Oncology Consultants) and manufacturing (GEIGER) sectors.
    • Decryption Status: No known method mentioned.
    • Source: Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Attack vectors are not detailed in the provided reports, but the group focuses on data exfiltration for double extortion. Stolen data includes sensitive personal and corporate information like SSNs, financial records, and contracts.
    • Targets: Multiple US-based companies, including manufacturing (Manko Window Systems, Tenryu America, Plastics Extrusion Machinery), metal supply (Curtis Steel Co.), and restaurant operations (Consolidated Restaurant Operations, Inc.).
    • Decryption Status: No known method mentioned.
    • Source: Various Akira victim-shaming posts.

  • Other Active Ransomware Groups:

    • Prominent Details: Numerous other ransomware groups have actively posted new victims on their data leak sites, including Everest, Sinobi, Thegentlemen, Play, Incransom, Radar, and Ransomhouse.
    • Attack Methods: The posts focus on data extortion and do not specify the initial attack methods. The Radar group noted that several of its real estate victims shared an Active Directory network infrastructure.
    • Targets: Victims span a wide range of industries globally, including aerospace (Collins Aerospace by Everest), marketing (HOEHNER RESEARCH & CONSULTING GROUP by Sinobi), transportation (Madagascar Airlines by Thegentlemen), and real estate (UrbanX PTY LTD by Radar).
    • Decryption Status: No known method mentioned.
    • Source: Various ransomware leak site posts.

Observations and Further Recommendations

  • The Rhysida campaign’s use of fraudulently signed certificates highlights a trend of attackers attempting to bypass security controls by masquerading as legitimate software. This underscores the need for robust application control and behavioral monitoring.
  • The high volume of victim posts from various groups (Akira, Everest, Radar, etc.) indicates a sustained and broad campaign of data theft and extortion across nearly all business sectors.
  • Organizations should prioritize network segmentation to limit lateral movement, enforce multi-factor authentication (MFA), and maintain offline, immutable backups to ensure they can recover critical data without succumbing to ransom demands.

News Details

  • New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs: Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor. According to Seqrite Labs, the attack chain involves distributing phishing emails containing a ZIP archive as a way to trigger the infection.
  • Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT: The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). “The campaign relied on phishing emails with PDFs that contained embedded malicious links,” Pei Han Liao, researcher with Fortinet’s FortiGuard.
  • North Korean Hackers Combine BeaverTail and OtterCookie into Advanced JS Malware: The North Korean threat actor linked to the Contagious Interview campaign has been observed merging some of the functionality of two of its malware programs, indicating that the hacking group is actively refining its toolset. That’s according to new findings from Cisco Talos, which said recent campaigns undertaken by the hacking group have seen the functions of BeaverTail and OtterCookie coming.
  • Identity Security: Your First and Last Line of Defense: The danger isn’t that AI agents have bad days — it’s that they never do. They execute faithfully, even when what they’re executing is a mistake. A single misstep in logic or access can turn flawless automation into a flawless catastrophe.
  • Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices: Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability.
  • Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign: Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said.
  • ConnectWise fixes Automate bug allowing AiTM update attacks: ConnectWise released a security update to address vulnerabilities, one of them with critical severity, in Automate product that could expose sensitive communications to interception and modification.
  • American Airlines subsidiary Envoy confirms Oracle data theft attack: Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
  • Microsoft lifts more safeguard holds blocking Windows 11 updates: Microsoft has removed two more compatibility holds preventing customers from installing Windows 11 24H2 via Windows Update.
  • Europol dismantles SIM box operation renting numbers for cybercrime: European law enforcement in an operation codenamed ‘SIMCARTEL’ has dismantled an illegal SIM-box service that enabled more than 3,200 fraud cases and caused at least 4.5 million euros in losses.
  • Microsoft fixes highest-severity ASP.NET Core flaw ever: Earlier this week, Microsoft patched a vulnerability that was flagged with the “highest ever” severity rating received by an ASP.NET Core security flaw.
  • VMware Certification: Your Next Career Power Move: VMware certification isn’t just about passing exams — it’s about mastering systems, proving expertise, and your career.
  • Microsoft fixes Windows bug breaking localhost HTTP connections: Microsoft has fixed a known issue breaking HTTP/2 localhost (127.0.0.1) connections and IIS websites after installing recent Windows security updates.
  • Over 266,000 F5 BIG-IP instances exposed to remote attacks: Internet security nonprofit Shadowserver Foundation has found more than 266,000 F5 BIG-IP instances exposed online after the security breach disclosed by cybersecurity company F5 this week.
  • Windows 11 updates break localhost (127.0.0.1) HTTP/2 connections: Microsoft’s October Windows 11 updates have broken the “localhost” functionality, making applications that connect back to 127.0.0.1 over HTTP/2 no longer function properly.
  • Auction giant Sotheby’s says data breach exposed financial information: Major international auction house Sotheby’s is notifying individuals of a data breach incident on its systems where threat actors stole sensitive information, including financial details.
  • Have I Been Pwned: Prosper data breach impacts 17.6 million accounts: Hackers stole the personal information of over 17.6 million people after breaching the systems of financial services company Prosper.
  • Hackers exploit Cisco SNMP flaw to deploy rootkit on switches: Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
  • The lab where GM is cooking up new EV batteries to beat China: Inside General Motors’ fast-growing battery labs in suburban Detroit, scientists and engineers are analyzing stresses on lithium-ion cells: desert heat, arctic cold, jungle humidity, enough charging and discharging for a half-dozen Frankenstein reboots.
  • Facebook’s new button lets its AI look at photos you haven’t uploaded yet: Meta has rolled out an opt-in AI feature to its US and Canadian Facebook users that claims to make their photos and videos more “shareworthy.” The only catch is that the feature is designed for your phone’s camera roll — not the media you’ve already uploaded to Facebook.
  • The best budget smartphone you can buy: You can get a great budget device these days if you know how to pick your priorities. Some of us take a kind of “I eat to live” rather than an “I live to eat” approach to gadgets.
  • The US has a new roadmap for fusion energy, without the funds to back it up: The Department of Energy (DOE) released a new roadmap for the US to realize the decades-long dream of harnessing fusion energy. It’s a commitment to support research and development efforts and pursue public-private partnerships to finally build the first generation of fusion power plants.
  • Fictional gadget reviews: exploring the latest in fantasy and sci-fi tech: Modern gadgets are all well and good, but sometimes things get more exciting when you enter the realm of fantasy. And the worlds of gaming, TV, and film often feature extremely cool gadgets that we just wish were real.
  • Pokémon Legends: Z-A Rotom Phone review: better camera, higher jumps: Though the Pokémon games’ Rotom Phones haven’t really changed all that much design-wise over the past few years, each generation has introduced new functionalities that made upgrading a no-brainer.
  • Ex-lidar CEO makes a bid to reclaim his company: Earlier this year, Luminar founder and CEO Austin Russell abruptly resigned from his position after it was revealed he was the target of an ethics inquiry. Now, the 30-year-old billionaire is trying to wrest back control of his old company.
  • Amazon’s Ring now works with video surveillance company Flock: Amazon’s smart doorbell company Ring is now working with the AI-powered surveillance camera company Flock. According to a letter sent to the company by Sen. Ron Wyden, Flock had allowed data access to the Secret Service and the Navy — as well as ICE, as previously reported by 404 Media.
  • Kelly Reichardt’s anti-heist movie: Kelly Reichardt has been called one of America’s greatest filmmakers, and also one of its quietest. But her latest, The Mastermind, centered on an art heist that goes off the rails, is probably her loudest movie yet and definitely her biggest budget to date.
  • SteelSeries makes some of the best wireless gaming earbuds, and they’re 36 percent off: When I have to decide which wireless gaming earbuds that I want to use, it’s a tough choice between the SteelSeries Arctis Buds and the Sony InZone Buds.
  • Microsoft Disrupts Ransomware Campaign Abusing Azure Certificates: Microsoft revoked more than 200 digital certificates that threat actors used to sign fake Teams binaries that set the stage for Rhysida ransomware attacks.
  • AI Agent Security: Whose Responsibility Is It?: The shared responsibility model of data security, familiar from cloud deployments, is key to agentic services, but cybersecurity teams and corporate users often struggle with awareness and managing that risk.
  • AI Chat Data Is History’s Most Thorough Record of Enterprise Secrets. Secure It Wisely: AI interactions are becoming one of the most revealing records of human thinking, and we’re only beginning to understand what that means for law enforcement, accountability, and privacy.
  • Cyberattackers Target LastPass, Top Password Managers: Be aware: a rash of phishing campaigns are leveraging the anxiety and trust employees have in password vaults securing all of their credentials.
  • Leaks in Microsoft VS Code Marketplace Put Supply Chain at Risk: Researchers discovered more than 550 unique secrets exposed in Visual Studio Code marketplaces, prompting Microsoft to bolster security measures.
  • China Hackers Test AI-Optimized Attack Chains in Taiwan: AI might help some threat actors in certain respects, but one group is proving that its use for cyberattacks has its limits.
  • 🏴‍☠️ Everest has just published a new victim : Collins Aerospace / RTX.com: Collins Aerospace, a unit of Raytheon Technologies Corporation, is a leader in technologically advanced, intelligent solutions for the global aerospace and defense industry.
  • 🏴‍☠️ Everest has just published a new victim : MUSE-INSECURE: Inside Collins Aerospaces Security Failure: N/A
  • 🏴‍☠️ Sinobi has just published a new victim : D Magazine Partners: ounded in 1974, D Magazine is a monthly magazine covering Dallas-Fort Worth. Topics include Food, Arts, Home, Living, Business, and Weddings.
  • 🏴‍☠️ Sinobi has just published a new victim : HOEHNER RESEARCH & CONSULTING GROUP: HOEHNER RESEARCH & CONSULTING GROUP GmbH is a company that operates in the Advertising & Marketing industry.
  • 🏴‍☠️ Thegentlemen has just published a new victim : Madagascar Airlines: Madagascar Airlines offers regular flights to major cities in Madagascar from Antananarivo, providing an online booking platform for travelers.
  • 🏴‍☠️ Rhysida has just published a new victim : Hematology Oncology Consultants: Hematology Oncology Consultants Michigan Hematology Oncology is a private practice dedicated to providing the highest level of quality care in a healing environment for the mind, body and spirit of patients dealing with cancer and blood disorders.
  • 🏴‍☠️ Play has just published a new victim : Cottage: United States
  • 🏴‍☠️ Everest has just published a new victim : Colins Aerospace / RTX.com: N/A
  • 🏴‍☠️ Everest has just published a new victim : MUSE-INSECURE: Inside Colins Aerospaces Security Failure: N/A
  • 🏴‍☠️ Coinbasecartel has just published a new victim : Desjardin Bank / Group: They did not want to pay
  • 🏴‍☠️ Incransom has just published a new victim : Shadrix & Parmer, P.C.: Documents, correspondence, payments, clients
  • 🏴‍☠️ Pear has just published a new victim : GFF&F – Galine, Frye, Fitting & Frangos, LLP: Highest-rated San Mateo personal injury attornes
  • 🏴‍☠️ Akira has just published a new victim : Manko Window Systems: Manko Window Systems is a manufacturer of commercial windows, alu minum systems, and glass products. We are ready to upload 20gb of corporate documents.
  • 🏴‍☠️ Akira has just published a new victim : Tenryu America: Tenryu America, Inc. is a leading manufacturer of high-quality sa w blades, offering over 3,000 types of carbide blades. We are ready to upload corporate documents.
  • 🏴‍☠️ Devman has just published a new victim : pharmaciedesalizes.fr: Ransom: 50k 80gb
  • 🏴‍☠️ Radar has just published a new victim : Sold Real Estate, Sold RE PTY LTD: Sold Real Estate and UrbanX PTY LTD share an Active Directory network infrastructure.
  • 🏴‍☠️ Radar has just published a new victim : UrbanX PTY LTD: UrbanX PTY LTD. It is an Australian company that provides a platform to support real estate agents in building their own brands.
  • 🏴‍☠️ Radar has just published a new victim : One Agency Eastlakes: One Agency Eastlakes Real Estate Agency in Swansea,NSW 2281 offers specialist property services. One Agency Eastlakes and UrbanX PTY LTD share an Active Directory network infrastructure.
  • 🏴‍☠️ Nova has just published a new victim : Alitech: Poland. Founded in 1996 as a family business, over the years of distribution of measuring quality control systems, Alitech continuously builds its position as a specialist in precision measurement engineering.
  • 🏴‍☠️ Akira has just published a new victim : Consolidated Restaurant Operations, Inc.: Consolidated Restaurant Operations, Inc. (CRO) operates more full -service and franchise restaurants internationally. We are ready to upload 38gb of corporate documents.
  • 🏴‍☠️ Akira has just published a new victim : Plastics Extrusion Machinery: Plastics Extrusion Machinery LLC, known as PEM, is a leading prov ider of innovative downstream equipment. We are ready to upload 350gb of corporate documents.
  • 🏴‍☠️ Akira has just published a new victim : Curtis Steel Co: Curtis Steel Aluminum Co. is a leading tubing supplier based in L as Vegas. We We are ready to upload more than 20GB data.
  • 🏴‍☠️ Ransomhouse has just published a new victim : WEBER: WEBER GmbH has been a reliable partner in automation, engineering, and environmental simulation since 1979, offering innovative solutions across various industries.
  • 🏴‍☠️ Rhysida has just published a new victim : GEIGER: GEIGER GEIGER Antriebstechnik is a leading manufacturer of innovative mechanical and electric drive solutions for sun protection products.
  • 🏴‍☠️ Blackshrantac has just published a new victim : SK shieldus: “SK shieldus” is a technology company focused on mobile and web application security. They specialize in providing comprehensive security solutions by using Artificial Intelligence algorithms.
  • 🏴‍☠️ Anubis has just published a new victim : Aussie Fluid Power: An Australian engineering leader has fallen victim to a cyberattack causing a data breach.
  • 🏴‍☠️ Devman has just published a new victim : www.om*nt.com: Ransom: 1400000 USD
  • 🏴‍☠️ Nova has just published a new victim : M3 Group Sp. z oo: Poland. IT company providing services in the areas of IT support, dedicated software, web software, implementation, consulting, and the delivery of IT systems for businesses.
  • 🏴‍☠️ Nova has just published a new victim : ShareP: Switzerland. Startup that provides a plug-and-play solution to digitize and optimize urban parking and electric vehicle (EV) charging infrastructure.
  • 🏴‍☠️ Play has just published a new victim : BMP Worldwide: United States
  • Email Bombs Exploit Lax Authentication in Zendesk: Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.