Ransomware Update – 2025-10-22

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: Pacific West Systems Supply (Wall and Ceiling supplier), Mailing.com (Printing and mailing company), Nvno (Napierski, VanDenburgh, Napierski & O’Connor, L.L.P. law firm).
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Beast:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: Microdevice (Building automation systems).
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Braincipher:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: oxfordcounty.ca (Oxford County municipality), cdom.org.
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Genesis:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: Multiple US-based entities including Southern Specialty and Supply, Roth & Scholl (Legal), River City Eye (Optometry), Austin Capital Trust (Finance), Healthy Living Market and Café, Claimlinx (Insurance), Ronemus & Vilensky (Legal), Dependable Plastic (Janitorial supplies), and I-Tek Medical Technologies.
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Incransom:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: Kumwell (Grounding and lightning protection systems).
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Qilin:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: Applied Technology Resources (Title Search Exams), Northern Light Technologies (Mining and tunnelling solutions), Tri City Foods (Burger King franchisee).
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Sinobi:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Not specified in the provided news.
    • Targets: A diverse range of organizations including SANHUA INTERNATIONAL (Refrigeration components), Prime Dental, Crave Management (Fast-food franchisee), McDonald Building (Construction), Greater Mental Health of New York, and South Atlanta Medical Clinic.
    • Decryption Status: No known free decryption tool.
    • Source: Ransomware leak site announcement.

  • Other Active Groups:

    • New Encrypted File Extension: Not specified in the provided news.
    • Attack Methods: Various ransomware groups including Payoutsking, Thegentlemen, Radar, Play, Rhysida, Lynx, Crypto24, Nova, Kairos, and Obscura have announced new victims.
    • Targets: Victims span numerous industries globally, including finance (Epia Financial Services), legal (Orange County Bar Association), engineering (ROBERT G. DASHIELL, JR., P.E., INC.), government (DeKalb County), hospitality (Cape Dara Resort Pattaya), and technology (Peraso).
    • Decryption Status: No known free decryption tools for these active threats.
    • Source: Ransomware leak site announcements.

Observations and Further Recommendations

  • A significant number of ransomware groups are actively publicizing victims, indicating a high operational tempo in the cybercrime ecosystem. The victim list showcases a broad targeting strategy, affecting industries from manufacturing and legal services to government, healthcare, and technology.
  • The targeted organizations are geographically diverse, with victims located in the United States, Canada, Europe, and Asia, highlighting the global nature of the ransomware threat.
  • To defend against such threats, organizations should prioritize fundamental cybersecurity measures. This includes maintaining regular, offline data backups, implementing multi-factor authentication (MFA) across all services, providing continuous security awareness training to employees to spot phishing attempts, and ensuring timely patching of software and system vulnerabilities.

News Details

  • Why You Should Swap Passwords for Passphrases: The advice didn’t change for decades: use complex passwords with uppercase, lowercase, numbers, and symbols. The idea is to make passwords harder for hackers to crack via brute force methods. But more recent guidance shows our focus should be on password length, rather than complexity.
  • Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware: Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.
  • TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution: Cybersecurity researchers have disclosed details of a high-severity flaw impacting the popular async-tar Rust library and its forks, including tokio-tar, that could result in remote code execution under certain conditions.
  • TP-Link Patches Four Omada Gateway Flaws, Two Allow Remote Code Execution: TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.
  • Meta Rolls Out New Tools to Protect WhatsApp and Messenger Users from Scams: Meta on Tuesday said it’s launching new tools to protect Messenger and WhatsApp users from potential scams. To that end, the company said it’s introducing new warnings on WhatsApp when users attempt to share their screen with an unknown contact during a video call.
  • PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign: Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge. PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology.
  • Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers: A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased “operations tempo” from the threat actor.
  • Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network: A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon. The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.
  • Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws to its Known Exploited Vulnerabilities (KEV) Catalog, officially confirming a recently disclosed vulnerability impacting Oracle E-Business Suite (EBS) has been weaponized in real-world attacks.
  • Sharepoint ToolShell attacks targeted orgs across four continents: Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations.
  • Vidar Stealer 2.0 adds multi-threaded data theft, better evasion: The operators of Vidar Stealer, one of the most successful malware-as-a-service (MaaS) operations of the past decade, have released a new major version to reflect massive improvements in the malware.
  • 🏴‍☠️ Qilin has just published a new victim : Applied Technology Resources: Applied Technology Resources, Inc. is an international leader in Title Search Exams throughout the United States, offering unmatched accuracy and turnaround times through their proprietary information system.
  • 🏴‍☠️ Thegentlemen has just published a new victim : PT Pupuk Iskandar Muda: PT Pupuk Iskandar Muda is a chemical manufacturing company based in Lhokseumawe, Aceh. As a subsidiary of PT PIHC, they focus on producing two key agricultural products: urea and ammonia fertilizers.
  • 🏴‍☠️ Radar has just published a new victim : ROBERT G. DASHIELL, JR., P.E., INC.: Robert G Dashiell Jr PE Inc is a reputable engineering firm based in Norfolk, VA, specializing in providing professional engineering services. Around ~500GB of confidential data.
  • 🏴‍☠️ Incransom has just published a new victim : Kumwell: Kumwell deliver safety to society for life and property with a International Standard for Grounding System, Lightning Protection System, Surge Protection Lightning Detection and Warning System for safety and security in the infrastructure system in various countries.
  • 🏴‍☠️ Play has just published a new victim : Nelligan White Architects: United States
  • 🏴‍☠️ Akira has just published a new victim : Pacific West SystemsSupply: Proudly known as “PacWest,” Pacific West Systems Supply Ltd. is a leading Wall and Ceiling Industry supplier. We are ready to upload 224gb of corporate documents.
  • 🏴‍☠️ Genesis has just published a new victim : Southern Specialty and Supply: Provide support for offshore, onshore, and drilling operations.
  • 🏴‍☠️ Lynx has just published a new victim : www.dekalbcountyga.gov: DeKalb County is the third most populated county in the state of Georgia and is the county seat of Decatur.