Ransomware Update – 2025-10-23

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Multiple Ransomware Groups Announce New Victims:
    • New Encrypted File Extension: Not specified in the announcements. The primary focus of these groups is data exfiltration for double extortion.
    • Attack Methods: Data theft and publication on leak sites to pressure victims into paying a ransom. Specific initial access vectors were not detailed in these brief announcements.
    • Targets: A diverse range of global industries were targeted by numerous groups:
      • Qilin: Highly active, targeting sectors such as healthcare (NurseSpring), IT services (Integral Networks), logistics (All Truck Transportation), manufacturing (Signet Armorlite), and hospitality (Magna Hospitality Group).
      • Nova: Targeted the luxury hospitality sector in India (The Laxmi Niwas Palace).
      • Embargo: Attacked a technology company (ACTi.com), claiming to have exfiltrated over 1.5TB of data.
      • Radar: Targeted an engineering firm (ROBERT G. DASHIELL, JR., P.E., INC.), exfiltrating approximately 500GB of data, along with a steel fabricator and a financial services company.
      • Other Groups: Play, Ransomhouse, Securotrop, Sinobi, and Thegentlemen also listed new victims across architecture, oil & gas, aviation, and manufacturing.
    • Decryption Status: No decryption tools are available. Recovery typically depends on paying the ransom or restoring from offline backups.
    • Source: Announcements made on the respective ransomware groups’ leak sites, as reported by the provided news feed.

Observations and Further Recommendations

  • Rapid Vulnerability Exploitation: Threat actors are quickly weaponizing recently disclosed critical vulnerabilities. Active exploitation campaigns are targeting flaws in Adobe Commerce/Magento (CVE-2025-54236), Motex Lanscope Endpoint Manager (CVE-2025-61932), and Microsoft SharePoint, underscoring the critical need for immediate patching.
  • Persistent Nation-State Threats: Espionage campaigns by nation-state actors remain prevalent. Iran-linked MuddyWater was observed targeting over 100 government entities with the Phoenix backdoor, while China-associated groups exploited a SharePoint flaw for intelligence gathering.
  • Social Engineering as a Key Vector: Phishing and spear-phishing continue to be effective initial access methods. A campaign dubbed “PhantomCaptcha” used fake Zoom meetings and weaponized PDFs to target Ukraine aid organizations, while the “Jingle Thief” group uses phishing to compromise cloud environments for gift card fraud.
  • General Recommendations: Organizations should prioritize a defense-in-depth strategy. This includes aggressive patch management to close vulnerability windows, continuous employee training to recognize and report phishing attempts, and securing cloud infrastructure with managed identities instead of static secrets to mitigate credential theft.

News Details

  • 🏴‍☠️ Nova has just published a new victim : The Laxmi Niwas Palace: India. A luxury historic hotel located in a palace in Bikaner, India. It was built in 1902 for Maharaja Ganga Singh and is now a popular tourist destination offering guests accommodation in the former royal palace.
  • 🏴‍☠️ Qilin has just published a new victim : NurseSpring: NurseSpring specializes in home health care, health care staffing, and nurse recruitment services. They prioritize compassion, dignity, and respect while delivering care, ensuring clients receive the right care at the right time.
  • 🏴‍☠️ Embargo has just published a new victim : ACTi.com: ACTi Corporation, founded in 2003, is a leading application developer with Big Data, Robot, IoT, Cloud and AI Technologies to empower business intelligent solut… – more than 1.5TB of data has been downloaded.
  • 🏴‍☠️ Ransomhouse has just published a new victim : United Lube Oil: United Lube Oil Company (UNILUBE) owns and operates an oil refinery with modern technology for the production of high quality base oil. The plant is situated in Jubail Industrial City, Kingdom of Saudi Arabia and its commercial operation commenced in the year 2002.
  • Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw: E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. The vulnerability in question is CVE-2025-54236 (CVSS score: 9.1).
  • Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild. The vulnerability, CVE-2025-61932 (CVSS v4 score: 9.3), impacts on-premises versions of Lanscope Endpoint Manager.
  • Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign: The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities.
  • “Jingle Thief” Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards: Cybersecurity researchers have shed light on a cybercriminal group called Jingle Thief that has been observed targeting cloud environments associated with organizations in the retail and consumer services sectors for gift card fraud. “Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards,” Palo Alto Networks Unit 42 researchers said.
  • Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files: Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine’s war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).
  • Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft’s July Patch: Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025.
  • Why Organizations Are Abandoning Static Secrets for Managed Identities: As machine identities explode across cloud environments, enterprises report dramatic productivity gains from eliminating static credentials. And only legacy systems remain the weak link. For decades, organizations have relied on static secrets, such as API keys, passwords, and tokens, as unique identifiers for workloads.
  • Vidar Stealer 2.0 adds multi-threaded data theft, better evasion: The operators of Vidar Stealer, one of the most successful malware-as-a-service (MaaS) operations of the past decade, have released a new major version to reflect massive improvements in the malware.