Ransomware Update – 2025-10-19

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Rhysida:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Abused over 200 revoked Microsoft Azure digital certificates to sign malicious, fake Microsoft Teams binaries, which were then used to deploy the ransomware.
    • Targets: Healthcare sector (e.g., Hematology Oncology Consultants) and other organizations susceptible to fake software updates.
    • Decryption Status: No known method yet.
    • Source: Monitored ransomware leak site feed and cybersecurity news reports.

  • Clop (Data Extortion):

    • New Encrypted File Extension: Not applicable (data theft and extortion focused).
    • Attack Methods: Breached an Oracle E-Business Suite application to steal data, followed by public extortion on their data leak site.
    • Targets: Envoy Air (an American Airlines subsidiary), indicating a focus on the aviation industry.
    • Decryption Status: Not applicable.
    • Source: Provided news feed.

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration followed by threats of public release. The group claimed to have stolen 20GB of sensitive corporate and personal data.
    • Targets: Manufacturing sector, including Manko Window Systems and Tenryu America.
    • Decryption Status: No known method yet.
    • Source: Monitored ransomware leak site feed.

  • Other Active Groups (Qilin, Incransom, Everest):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data theft and public shaming on leak sites.
    • Targets: A diverse range of sectors including healthcare (Long Island Weight Loss Institute), retail (summitgolfbrands.com), legal services (Shadrix & Parmer, P.C.), and aerospace/defense (Collins Aerospace).
    • Decryption Status: No known method yet.
    • Source: Monitored ransomware leak site feed.

Observations and Further Recommendations

  • Ransomware attacks continue to affect a wide array of industries, including critical sectors like healthcare, aviation, and manufacturing, demonstrating that no organization is immune.
  • Attackers are using sophisticated techniques to bypass security, such as the Rhysida group’s abuse of valid (though later revoked) digital certificates to make their malware appear legitimate.
  • The dominant trend remains “double extortion,” where threat actors not only encrypt files but also steal sensitive data and threaten to leak it to increase pressure on victims to pay the ransom.
  • Organizations should prioritize employee training to spot phishing attempts, validate the authenticity of software updates before installation, and maintain secure, offline backups to ensure data can be recovered without paying a ransom.

News Details

  • Europol Dismantles SIM Farm Network Powering 49 Million Fake Accounts Worldwide: Europol on Friday announced the disruption of a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm and enabled its customers to carry out a broad spectrum of crimes ranging from phishing to investment fraud.
  • New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs: Cybersecurity researchers have shed light on a new campaign that has likely targeted the Russian automobile and e-commerce sectors with a previously undocumented .NET malware dubbed CAPI Backdoor.
  • Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia via HoldingHands RAT: The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins).
  • OpenAI confirms GPT-6 is not shipping in 2025: OpenAI is not planning to ship GPT-6 this year, but that doesn’t necessarily mean the company will not release new models.
  • Google ads for fake Homebrew, LogMeIn sites push infostealers: A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey.
  • ConnectWise fixes Automate bug allowing AiTM update attacks: ConnectWise released a security update to address vulnerabilities, one of them with critical severity, in Automate product that could expose sensitive communications to interception and modification.
  • American Airlines subsidiary Envoy confirms Oracle data theft attack: Envoy Air, a regional airline carrier owned by American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.
  • Microsoft lifts more safeguard holds blocking Windows 11 updates: Microsoft has removed two more compatibility holds preventing customers from installing Windows 11 24H2 via Windows Update.
  • Europol dismantles SIM box operation renting numbers for cybercrime: European law enforcement in an operation codenamed ‘SIMCARTEL’ has dismantled an illegal SIM-box service that enabled more than 3,200 fraud cases and caused at least 4.5 million euros in losses.
  • The AI sexting era has arrived: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. Since ChatGPT became a household name, people have been trying to get sexy with it.
  • TiVo won the court battles, but lost the TV war: In the 2000s, TiVo reached heights few companies ever achieve. Like Google and Xerox, its name became a verb. While it didn’t invent the DVR, TiVo popularized it and many of the features we would eventually take for granted.
  • Motorola’s Razr Ultra and the Marshall Emberton II top this week’s best deals: If you’ve been thinking about buying a foldable phone that truly stands out, few models can rival the 2025 Motorola Razr Ultra, which is currently on sale at Amazon and Best Buy with 16GB of RAM and 512GB starting at $999.99 ($300 off).
  • 8BitDo’s new collection celebrates the NES’s 40th anniversary: Forty years ago today, the Nintendo Entertainment System launched in North America, and to help celebrate the anniversary, 8BitDo has announced a new NES40 collection.
  • Pokémon Legends: Z-A makes a big, welcome change for shiny hunters: Pokémon Legends: Z-A hadn’t been out even a few hours before the tweets started rolling in: Shiny pokémon don’t despawn. You can walk away from a shiny, and it’ll still be there when you come back.
  • Easy Delivery Co. is a cozy, Lynchian dream: I have been a fan of David Lynch ever since a friend’s older brother interrupted a 13th birthday celebration to insist we all watch Eraserhead.
  • The future I saw through the Meta Ray-Ban Display amazes and terrifies me: Outside a florist-cum-coffee shop in upstate New York, a row of vintage cars gleam in the sun. It’s unseasonably warm for early October, so there’s a veritable crowd of car enthusiasts snapping photos of Ferraris, Porsches, and a vintage Alfa Romeo.
  • The lab where GM is cooking up new EV batteries to beat China: Inside General Motors’ fast-growing battery labs in suburban Detroit, scientists and engineers are analyzing stresses on lithium-ion cells: desert heat, arctic cold, jungle humidity, enough charging and discharging for a half-dozen Frankenstein reboots.
  • Facebook’s new button lets its AI look at photos you haven’t uploaded yet: Meta has rolled out an opt-in AI feature to its US and Canadian Facebook users that claims to make their photos and videos more “shareworthy.” The only catch is that the feature is designed for your phone’s camera roll — not the media you’ve already uploaded to Facebook.
  • The best budget smartphone you can buy: You can get a great budget device these days if you know how to pick your priorities. Some of us take a kind of “I eat to live” rather than an “I live to eat” approach to gadgets.
  • Cyber Academy Founder Champions Digital Safety for All: Aliyu Ibrahim Usman, founder of the Cyber Cadet Academy in Nigeria, shares his passion for raising cybersecurity awareness in the wake of mounting security concerns worldwide.
  • Microsoft Disrupts Ransomware Campaign Abusing Azure Certificates: Microsoft revoked more than 200 digital certificates that threat actors used to sign fake Teams binaries that set the stage for Rhysida ransomware attacks.
  • 🏴‍☠️ Qilin has just published a new victim : Long Island Weight Loss Institute: Long Island Weight Loss Institute is a medical weight loss clinic that offers physician-supervised weight loss programs designed to treat the whole person.
  • 🏴‍☠️ Incransom has just published a new victim : summitgolfbrands.com: SUMMIT GOLF BRANDS specializes in high-end golf apparel and sportswear, selling products online and through leading country clubs and resorts worldwide.
  • 🏴‍☠️ Everest has just published a new victim : Collins Aerospace / RTX.com: Collins Aerospace, a unit of Raytheon Technologies Corporation, is a leader in technologically advanced, intelligent solutions for the global aerospace and defense industry.
  • 🏴‍☠️ Rhysida has just published a new victim : Hematology Oncology Consultants: Hematology Oncology Consultants Michigan Hematology Oncology is a private practice dedicated to providing the highest level of quality care in a healing environment for the mind, body and spirit of patients dealing with cancer and blood disorders.
  • 🏴‍☠️ Akira has just published a new victim : Manko Window Systems: Manko Window Systems is a manufacturer of commercial windows, aluminum systems, and glass products. We are ready to upload 20gb of corporate documents.