Ransomware Update – 2025-10-27

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin (aka Agenda):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Employs a Linux payload combined with a Bring Your Own Vulnerable Driver (BYOVD) exploit in hybrid attacks. Utilizes a ransomware-as-a-service (RaaS) model and double extortion by publishing stolen data on its leak site.
    • Targets: A wide range of organizations, including Malgor (food supplier), InfraCom Group (IT), South Alabama Regional Planning Commission (government), and Essential Cabinetry Group (manufacturing). The group is highly active, claiming over 40 victims monthly.
    • Decryption Status: No known decryption method mentioned.
    • Source: Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack / Ransomware leak site monitoring.

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via its data leak site.
    • Targets: Flegenheimer International (customs broker), Precision Machined Products (oil & gas supplier).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware leak site monitoring.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public disclosure threats to pressure victims.
    • Targets: D. W. Gould Realty Advisors Inc. (realty), Partitio (IT services), Industrias Auge S.A de C.V (manufacturing).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware leak site monitoring.

  • Beast:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via its data leak site.
    • Targets: GeBePro (technical systems management), Bolt Electricity, Oil & Gas (energy solutions).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware leak site monitoring.

  • Everest:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via its data leak site.
    • Targets: Dublin Airport (transportation), Air Arabia (airline).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware leak site monitoring.

  • Play:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via its data leak site.
    • Targets: LaBonne and Metal Pros (both United States-based entities).
    • Decryption Status: No known decryption method mentioned.
    • Source: Ransomware leak site monitoring.

  • Other Active Groups:

    • Pear: Targeted Miami Management (property management).
    • Crypto24: Targeted Meinhardt Group and Bayu Buana Travel.
    • Coinbasecartel: Targeted Limocar by Transdev.ca (transportation).
    • Thegentlemen: Targeted Donacoop / VinaCapital (conglomerate/investment).
    • Nova: Targeted Papsud (office products retail).

  • RedTiger-based Infostealer:

    • New Encrypted File Extension: N/A (Information Stealer).
    • Attack Methods: An infostealer built using the open-source RedTiger tool.
    • Targets: Discord users, aiming to steal account credentials and payment information.
    • Decryption Status: N/A.
    • Source: Hackers steal Discord accounts with RedTiger-based infostealer.

Observations and Further Recommendations

  • The Qilin ransomware group continues to be a major threat, noted for its high volume of attacks (over 40 per month) and use of sophisticated hybrid attack methods targeting both Linux and Windows systems.
  • A diverse range of industries remain under constant threat, including critical infrastructure (airports, energy), government agencies, IT services, and manufacturing.
  • Double extortion (stealing data before encryption and threatening to leak it) is the standard operating procedure for all listed active ransomware groups.
  • The use of infostealers to compromise accounts on popular platforms like Discord remains a prevalent method for initial access and data theft.
  • Organizations should prioritize robust security measures, including network segmentation, regular patching, multi-factor authentication (MFA), and maintaining immutable, offline backups to mitigate the impact of an attack.

News Details

  • Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack: The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups.
  • Hackers steal Discord accounts with RedTiger-based infostealer: Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information.
  • 🏴‍☠️ Qilin has just published a new victim : Malgor: Founded in 1926 in San Juan, Puerto Rico, Malgor & Co., Inc. is a leader in supplying proprietary lines of food and miscellaneous items, as well as recognized brands through special distribution agreements.
  • 🏴‍☠️ Pear has just published a new victim : Miami Management: A licensed and insured company providing a full range of property management services.
  • 🏴‍☠️ Beast has just published a new victim : GeBePro: The company’s activities include the operational management of technical systems, project management, trading/distribution of technical systems and their products, business consulting, expert opinions, and service provision.
  • 🏴‍☠️ Beast has just published a new victim : Bolt Electricity, Oil & Gas: Bolt Energy specializes in providing energy solutions aimed at reducing costs by at least 25% for high voltage companies, and offering clean and affordable energy for residential and small business customers.
  • 🏴‍☠️ Akira has just published a new victim : Flegenheimer International: Flegenheimer International is Licensed Customs Broker company based out of 227 W Grand Ave, El Segundo, CA, United States. We are ready to upload more than 16gb of corporate documents.
  • 🏴‍☠️ Incransom has just published a new victim : dwgra.com: D. W. Gould Realty Advisors Inc. (“DWGRA”) is a privately owned, non-commission compensation Canadian brokerage offering. We have at our disposal fiscal data, internal mail, data of all employees of the company, as well as strategic development plans.
  • 🏴‍☠️ Everest has just published a new victim : Dublin Airport: [AI generated] Dublin Airport, located in Collinstown, Fingal, Ireland, is an international airport serving Dublin, the capital city of Ireland. It is operated by DAA (Dublin Airport Authority).