Ransomware Update – 2025-10-21

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Muji (via Supplier Attack):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Supply chain attack; a ransomware attack on the company’s delivery partner, Askul, caused a logistics outage.
    • Targets: Japanese retail company Muji was impacted, while its supplier, Askul, was the direct target.
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration for double extortion. The group claims to have stolen 81GB of data.
    • Targets: Selig Enterprises (real estate) and AAA Parking (parking management).
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

  • Lynx:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a leak site.
    • Targets: Trail Ridge Energy (oil & gas), DeKalb County, GA (government), Chester County Library System (public sector), and SAACKE GmbH (industrial systems).
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

  • Sinobi:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a leak site.
    • Targets: A wide range of entities including McDonald Building (construction), Greater Mental Health of New York (healthcare), Tryon Distributing (distribution), Grupo JSA (engineering), and several medical and service-based companies.
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

  • Medusa:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion. Claimed a 1TB data leak from one victim.
    • Targets: Imagicle (IT), Linxx Global Solutions (security services), and DALCANS (commerce).
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

  • Other Ransomware Groups (Nova, Kairos, Braincipher, Obscura, Blackshrantac, etc.):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and public shaming on dedicated leak sites.
    • Targets: Diverse sectors including IT (BRDSoft), construction (Gruppe Lehnen), legal (Orange County Bar Association), government (oxfordcounty.ca), hospitality (Cape Dara Resort Pattaya), finance (Al Ahly Leasing), and real estate (Peppermint Properties).
    • Decryption Status: No known decryption method mentioned.
    • Source: [Source from provided articles]

Observations and Further Recommendations

  • Ransomware groups continue to target a wide and diverse range of industries across the globe, including critical sectors like government, healthcare, finance, and energy.
  • The dominant tactic is double extortion, where attackers steal sensitive data before encryption and threaten to publish it on leak sites to pressure victims into paying a ransom.
  • Supply chain attacks remain a critical vulnerability. The incident affecting Muji highlights how an attack on a single supplier can cause significant operational disruptions for larger partners.
  • Organizations should prioritize vetting the security posture of their partners, maintaining offline backups, and creating a comprehensive incident response plan to mitigate the impact of ransomware attacks.

News Details

  • Securing AI to Benefit from AI: Artificial intelligence (AI) holds tremendous promise for improving cyber defense and making the lives of security practitioners easier. It can help teams cut through alert fatigue, spot patterns faster, and bring a level of scale that human analysts alone can’t match. But realizing that potential depends on securing the systems that make it possible.
  • Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers: A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased “operations tempo” from the threat actor.
  • Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network: A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.
  • Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks.
  • ⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More: It’s easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn’t just patching fast, but watching smarter and staying alert for what you don’t expect.
  • Analysing ClickFix: 3 Reasons Why Copy/Paste Attacks Are Driving Security Breaches: ClickFix, FileFix, fake CAPTCHA — whatever you call it, attacks where users interact with malicious scripts in their web browser are a fast-growing source of security breaches.
  • 131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign: Cybersecurity researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale.
  • MSS Claims NSA Used 42 Cyber Tools in Multi-Stage Attack on Beijing Time Systems: China on Sunday accused the U.S. National Security Agency (NSA) of carrying out a “premeditated” cyber attack targeting the National Time Service Center (NTSC), as it described the U.S. as a “hacker empire” and the “greatest source of chaos in cyberspace.”
  • Windows 11 KB5070773 emergency update fixes Windows Recovery issues: Microsoft has released an emergency update to fix the Windows Recovery Environment (WinRE), which became unusable on systems with USB mice and keyboards after installing the October 2025 security updates. […]
  • DNS0.EU private DNS service shuts down over sustainability issues: The DNS0.EU non-profit public DNS service focused on European users announced its immediate shut down due to time and resource constraints. […]
  • Microsoft: October updates break USB input in Windows Recovery: Microsoft has confirmed that this month’s security updates disable USB mice and keyboards in the Windows Recovery Environment (WinRE), making it unusable. […]
  • Retail giant Muji halts online sales after ransomware attack on supplier: Japanese retail company Muji has taken offline its store due to a logistics outage caused by a ransomware attack at its delivery partner, Askul. […]
  • Over 75,000 WatchGuard security devices vulnerable to critical RCE: Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and still vulnerable to a critical issue (CVE-2025-9242) that could allow a remote attacker to execute code without authentication. […]
  • CISA: High-severity Windows SMB flaw now exploited in attacks: CISA says threat actors are now actively exploiting a high-severity Windows SMB privilege escalation vulnerability that can let them gain SYSTEM privileges on unpatched systems. […]
  • Self-spreading GlassWorm malware hits OpenVSX, VS Code registries: A new and ongoing supply-chain attack is targeting developers on the OpenVSX and Microsoft Visual Studio marketplaces with self-spreading malware called GlassWorm that has been installed an estimated 35,800 times. […]
  • Microsoft fixes Windows Server Active Directory sync issues: Microsoft is rolling out a fix for Active Directory issues affecting some Windows Server 2025 systems after installing security updates released since September. […]
  • Microsoft warns of Windows smart card auth issues after October updates: Microsoft says the October 2025 Windows security updates are causing smart card authentication and certificate issues due to a change designed to strengthen the Windows Cryptographic Services. […]
  • Find hidden malicious OAuth apps in Microsoft 365 using Cazadora: Malicious OAuth apps can hide inside Microsoft 365 tenants. Huntress Labs’ Cazadora script helps uncover rogue apps before they lead to a breach. Dive deeper in their Tradecraft Tuesday sessions. […]
  • AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more: AWS outage has taken down millions of websites, including Amazon.com, Prime Video, Perplexity AI, Canva and more. […]
  • TikTok videos continue to push infostealers in ClickFix attacks: Cybercriminals are using TikTok videos disguised as free activation guides for popular software like Windows, Spotify, and Netflix to spread information-stealing malware. […]
  • Amazon hopes to replace 600,000 US workers with robots, according to leaked documents: Amazon is reportedly leaning into automation plans that will enable the company to avoid hiring more than half a million US workers. Citing interviews and internal strategy documents, The New York Times reports that Amazon is hoping its robots can replace more than 600,000 jobs it would otherwise have to hire in the United States by 2033.
  • Yelp’s AI can now take reservations over the phone: Yelp’s AI-powered solutions promise to answer calls, take reservations, and manage bookings for “understaffed” restaurants. Yelp Host and Yelp Receptionist are part of a broader push from the company and similar platforms embracing AI to streamline customer management “around the clock.”
  • Google’s new deadline for Epic consequences is October 29th: Two days from today, October 22nd, was Google’s deadline to begin opening up its app store, stop forcing developers to use Google Play Billing, let them set their own prices, and more, following Epic’s repeated wins in Epic v. Google. But both Epic and Google have just successfully and mysteriously argued for one final week’s delay.
  • Bryan Cranston and SAG-AFTRA say OpenAI is taking their deepfake concerns seriously: Actors, studios, agents, and the actors union SAG-AFTRA have all expressed their concerns about appearing in Sora 2’s AI-generated videos ever since the deepfake machine was released last month. Now a joint statement from actor Bryan Cranston, OpenAI, the union, and others says that after videos of him appeared on Sora…the company has “strengthened guardrails” around its opt-in policy for likeness and voice.
  • Ninja Gaiden 4 is the perfect place to jump into the series: When the first 3D Ninja Gaiden came out on Xbox in 2004, I really wanted to play it; though the game looks a little antiquated now, at the time, teenage me thought that ninja protagonist Ryu Hayabusa was cool as hell.
  • I tested 15 cases for the Switch 2 and these are the best: You might find it kind of sad to put your hard-earned Switch 2 into a protective case. To me, it’s freeing. Using a case relieves me of the worry that it will accumulate tons of little scratches, or worse. I’ve tested several types of cases on the Nintendo Switch 2 since its June 2025 debut.
  • Apple adds a new toggle to make Liquid Glass less glassy: Apple’s latest iOS 26.1 beta has a new option that lets you tint Liquid Glass elements of iOS 26 so that they are more opaque. Since announcing Liquid Glass at WWDC this year, Apple has tweaked exactly how glassy Liquid Glass is — early on, there were some legibility issues — but this new setting gives you the choice of making things more transparent or more frosted.
  • I tested a bunch of Switch 2 screen protectors, and these are the best: A glass screen protector is one of a few essential accessories that every Switch 2 owner should make, along with a select few others. In fact, it should be a priority to stick one onto the console’s screen as soon as possible to avoid accidental scratches.
  • Blind patients read again with smart glasses-linked eye implant: Several dozen patients with vision loss due to a progressive form of blindness called age-related macular degeneration (AMD) regained some of their central vision thanks to an eye implant paired with a set of smart glasses.
  • Google will reportedly let 15 superfans test unreleased Pixel phones: There are but three certainties in life: death, taxes, and Google’s next Pixel phone getting thoroughly leaked before the company can even announce it. (Multiple generations of Pixel have been publicly unboxed, disassembled, and even reviewed before Google can show them off.)
  • ColdRiver Drops Fresh Malware on Targets: The Russia-backed threat actor’s latest cyber spying campaign is a classic example of how quickly sophisticated hacking groups can pivot when exposed.
  • International Sting Takes Down SIM Box Criminal Network: The operation took down a massive SIM card fraud network that provided fake phone numbers from more than 80 countries to criminals.
  • Is Your Car a BYOD Risk? Researchers Demonstrate How: If an employee’s phone connects to their car and then their corporate network, an attack against the car can reach the company.
  • Flawed Vendor Guidance Exposes Enterprises to Avoidable Risk: Oracle E-Business Suite customers received conflicting deployment guidance, leaving enterprises exposed a recent zero-day flaw, Andrew argues.
  • New Microchip Tech Protects Vehicles from Laser Attacks: “FD-SOI” makes hardware attacks on silicon chips more difficult. And, researchers argue, it’ll help OEMs with regulatory compliance.
  • Self-Propagating GlassWorm Attacks VS Code Supply Chain: The sophisticated worm — which uses invisible code to steal credentials and turn developer systems into criminal proxies — has so far infected nearly 36k machines.
  • 🏴‍☠️ Nova has just published a new victim : BRDSoft: I.T and Telecomunications company. Help telecomunications company, callcenters, hosting companies, datacenter a ISP on a high number of solutions to make his business work bether.
  • 🏴‍☠️ Lynx has just published a new victim : trailridgeenergy: Trail Ridge Energy Partners II LLC is a privately held oil and gas exploration and production company headquartered in Grapevine, Texas and operating in West Texas’ Permian Basin, one of the world’s largest accumulation of hydrocarbons.
  • 🏴‍☠️ Lynx has just published a new victim : www.dekalbcountyga.gov: DeKalb County is the third most populated county in the state of Georgia and is the county seat of Decatur.
  • 🏴‍☠️ Sinobi has just published a new victim : McDonald Building: McDonald Building Co. is a growing construction firm that embarks on innovative projects within the Architecture, Engineering, and Construction (AEC) industry.
  • 🏴‍☠️ Lynx has just published a new victim : www.ccls.org: The Chester County Library & District Center was established in 1962 and moved to its current location in 1980. Largely supported by the County of Chester, the library serves as the District Center as well as the Chester County Library System headquarters.
  • 🏴‍☠️ Sinobi has just published a new victim : Greater Mental Health of New York: Greater Mental Health of New York is the new name of the merged entity of The Mental Health Association of Westchester and The Mental Health Association of Rockland, two agencies who have a long history of collaboration and a shared mission and ethos for promoting mental health throughout the Hudson Valley region.
  • 🏴‍☠️ Sinobi has just published a new victim : Tryon Distributing: Founded in 1985, Tyron Distributing is a craft beer and fine wines distributor headquartered in Charlotte, North Carolina.
  • 🏴‍☠️ Sinobi has just published a new victim : Grupo JSA: Grupo JSA is a company that operates in the Architecture, Engineering & Design industry. It employs 20to49 people and has 5Mto10M of revenue. The company is headquartered in Rio de Janeiro, Rio de Janeiro, Brazil.
  • 🏴‍☠️ Sinobi has just published a new victim : MSC-Wireless: Wireless in the mountains
  • 🏴‍☠️ Sinobi has just published a new victim : South Atlanta Medical Clinic: South Atlanta Ambulatory Surgery Center is a specialized outpatient surgical facility in Stockbridge, Georgia, dedicated exclusively to ear, nose, and throat procedures.
  • 🏴‍☠️ Sinobi has just published a new victim : Harmony Brands: Harmony Brands was founded in 2014, from a desire to create a premium sod grass that matched the needs of the varied geography of the United States, and also measured up to the industrys highest standards.
  • 🏴‍☠️ Sinobi has just published a new victim : Phoenix Village Dental: Phoenix Village Dental is a family dentistry practice designed with you in mind! We know how busy you are-and how difficult it is to fit dental visits for your family into your hectic schedule.
  • 🏴‍☠️ Kairos has just published a new victim : ocbar.org/USA/114GB: Unknown – Orange County Bar Association
  • 🏴‍☠️ Braincipher has just published a new victim : oxfordcounty.ca: [AI generated] Oxford County represents the best of both worlds: urban communities full of life, entertainment, and commerce; and rural areas that are rich in natural resources, history, and farming communities.
  • 🏴‍☠️ Braincipher has just published a new victim : cdom.org: [AI generated] N/A
  • 🏴‍☠️ Obscura has just published a new victim : Cape Dara Resort Pattaya: Revenue: $25.2kk | Leak Size: 80 GB | Status: Pending | Time Left: 8d 6h 57m 24s
  • 🏴‍☠️ Blackshrantac has just published a new victim : Computer World W.L.L: [AI generated] “Computer World W.L.L” is a reputable company located in the Kingdom of Bahrain. They specialize in providing IT products and services such as networking and data center solutions, cloud services, software development, and cybersecurity solutions.
  • 🏴‍☠️ Akira has just published a new victim : Selig Enterprises; AAA Parking: There are two companies in the upcoming leak. Selig Enterprises is a real estate company… And AAA Parking…is a parking management company. We are ready to upload 81gb of corporate documents of these two companies.
  • 🏴‍☠️ Spacebears has just published a new victim : Supercash (Reuploaded): Supercash is a family business with over 40 years of experience. We specialize in distributing a wide variety of products for the hospitality industry… They are clients of Gesimde Asociados S.L. The leak was made possible by this company
  • 🏴‍☠️ Lynx has just published a new victim : saacke.com: SAACKE GmbH is a family-owned German company founded in 1931 and headquartered in Bremen. It specializes in the development and production of high-efficiency combustion and thermal energy systems for industrial and marine applications.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Cabinets 2000, LLC: [AI generated] “Cabinets 2000, LLC” is a business that manufactures and sells a diverse variety of cabinetry products. Based in Norwalk, California, it serves a range of customers primarily in the residential market.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Al Ahly Leasing & Factoring Company: [AI generated] Al Ahly Leasing & Factoring Company is an Egyptian financial institution specializing in leasing and factoring services. It’s a subsidiary of the National Bank of Egypt, the country’s largest commercial bank.
  • 🏴‍☠️ Ciphbit has just published a new victim : Peppermint Properties: [AI generated] “Peppermint Properties” is a company engaged in real estate and property management services. They primarily focus on providing an easy and hassle-free property renting, buying and selling experience to clients.
  • 🏴‍☠️ Ciphbit has just published a new victim : Corneilhan: [AI generated] N/A
  • 🏴‍☠️ Pear has just published a new victim : B. G. Schneider Treuhand AG Information: Accounting Service
  • 🏴‍☠️ Nova has just published a new victim : Gruppe Lehnen: We build for your future. The group, based in Sehlem, has 90 years of experience in civil engineering and road construction… 350 GB of documents stolen, get in touch by follow readme
  • 🏴‍☠️ Medusa has just published a new victim : Imagicle: Founded in 2010, Imagicle is head-quartered in Italy and has a fully owned subsidiary in Dubai and Miami. Imagicle operates almost in all over the world serving enterprises… Imagicle is Cisco Preferred Solution Partner.
  • 🏴‍☠️ Medusa has just published a new victim : Linxx Global Solutions: Linxx Global Solutions is a leading provider of mission-critical support services specializing in Training, Security, and Cyber Security solutions. Their primary goal is to enhance the safety, security, resiliency, and productivity of their clients through innovative problem-solving and a commitment to excellence.
  • 🏴‍☠️ Medusa has just published a new victim : DALCANS: The total amount of data leakage is 1 TB.
  • 🏴‍☠️ Play has just published a new victim : Accord Carton: United States
  • 🏴‍☠️ Everest has just published a new victim : Collins Aerospace Admits Responsibility for Flight Chaos at Heathrow, Brussels and Other M…: [AI generated] N/A
  • 🏴‍☠️ Safepay has just published a new victim : healthandvitalitycenter.com: The Health & Vitality Center is a holistic medical practice located at 11600 Wilshire Blvd, Suite 120, Los Angeles, CA. …