Ransomware Update – 2025-11-04

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • BlackCat (ALPHV):

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Hacking into corporate networks to deploy ransomware and extort victims. The case involves cybersecurity insiders who allegedly used their expertise to facilitate the attacks.
    • Targets: At least five U.S. companies between May and November 2023, including a medical facility.
    • Decryption Status: Not mentioned; the news focuses on the indictment of the alleged attackers.
    • Source: U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, with threats to publish large volumes of stolen data.
    • Targets: Moonlight Basin (Hospitality), Designs for Vision (Medical), Mecanex USA (Aerospace), Morris Communications Company (Media), Seasons Federal Credit Union, and Montage Marketing Services.
    • Decryption Status: Data has been published or is threatened to be published.
    • Source: Ransomware leak site announcements

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and public shaming after failed negotiations; claims to have stolen over 1TB of data from one victim.
    • Targets: REPECHAGE (Cosmetics), Vitalmex (Healthcare), The Aetherius Society (Spiritual Organization).
    • Decryption Status: Data publication is threatened.
    • Source: Ransomware leak site announcements

  • Ransomhouse:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: UnitedLayer (Data Centers), Victorian Chemical (Manufacturing).
    • Decryption Status: Data has been published.
    • Source: Ransomware leak site announcements

  • Alphalocker:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, claiming to have stolen 117 GB from one victim.
    • Targets: A dental practice (myriversidedentaloffice.com), a hotel (unterkofler.info), and an automotive company (automotiveml.com).
    • Decryption Status: Data has been published.
    • Source: Ransomware leak site announcements

  • Interlock:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploiting “easily accessible security” for data theft and extortion.
    • Targets: Bishop Ireton High School (Education), Pinto Coates Kyre & Bowers (Law Firm).
    • Decryption Status: Data has been published.
    • Source: Ransomware leak site announcements

  • Spacebears:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: DOVERN Import (Wine Importer), Rios Espinosa (Legal/Financial Services).
    • Decryption Status: Data has been published.
    • Source: Ransomware leak site announcements

  • Other Active Groups:

    • Details: Multiple other ransomware groups posted new victims, including Rhysida (Invacare), Sinobi (Crown Automotive Sales), Devman (Heitech), Play (Irwin Car), Anubis (Mayco International), Nightspire (Dayal Metal Containers Factory LLC, BR Group), Radar (Kingcan Holdings Limited), Qilin (ANCO), Pear (Gerson & Schwartz Lawyers), Dragonforce (G. Hauswirth Architects), Coinbasecartel (CEVA Logistics), and Nova (Castilla).
    • Methods: All involve data exfiltration and public leaks on their respective sites.
    • Source: Ransomware leak site announcements

Observations and Further Recommendations

  • Ransomware activity remains high, with numerous groups like Akira, Incransom, and Ransomhouse actively leaking data from victims across a wide array of industries, including healthcare, finance, legal, and manufacturing.
  • The Akira ransomware group is particularly prolific, claiming responsibility for multiple breaches involving large amounts of sensitive corporate and personal data, including military-related information.
  • The indictment of cybersecurity professionals in the BlackCat ransomware attacks underscores the significant threat posed by insiders who abuse their privileged access and knowledge.
  • Organizations should prioritize insider threat detection programs, enforce the principle of least privilege, and conduct thorough background checks. Furthermore, all entities should ensure they have robust, tested, and offline backup and recovery plans to mitigate the impact of a potential attack.

News Details

  • Google’s AI ‘Big Sleep’ Finds 5 New Vulnerabilities in Apple’s Safari WebKit: Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser that, if successfully exploited, could result in a browser crash or memory corruption.
  • U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks: Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.
  • Microsoft Detects “SesameOp” Backdoor Using OpenAI’s API as a Stealth Command Channel: Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications.
  • Malicious VSX Extension “SleepyDuck” Uses Ethereum to Keep Its Command Server Alive: Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck.
  • Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks: Bad actors are increasingly training their sights on trucking and logistics companies with an aim to infect them with remote monitoring and management (RMM) software for financial gain and ultimately steal cargo freight.
  • ⚡ Weekly Recap: Lazarus Hits Web3, Intel/AMD TEEs Cracked, Dark Web Leak Tool & More: Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe.
  • The Evolution of SOC Operations: How Continuous Exposure Management Transforms Security Operations: Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively.
  • Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data: Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices.
  • New HttpTroy Backdoor Poses as VPN Invoice in Targeted Cyberattack on South Korea: The North Korea-linked threat actor known as Kimsuky has distributed a previously undocumented backdoor codenamed HttpTroy as part of a likely spear-phishing attack targeting a single victim in South Korea.
  • Hackers exploit critical auth bypass flaw in JobMonster WordPress theme: Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions.
  • Hacker steals over $120 million from Balancer DeFi crypto protocol: The Balancer Protocol announced that hackers had targeted its v2 pools, with losses reportedly estimated to be more than $128 million.
  • Fake Solidity VSCode extension on Open VSX backdoors developers: A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker.
  • Microsoft: SesameOp malware abuses OpenAI Assistants API in attacks: Microsoft security researchers have discovered a new backdoor malware that uses the OpenAI Assistants API as a covert command-and-control channel.
  • US cybersecurity experts indicted for BlackCat ransomware attacks: Three former employees of cybersecurity incident response companies DigitalMint and Sygnia have been indicted for allegedly hacking the networks of five U.S. companies in BlackCat (ALPHV) ransomware attacks between May 2023 and November 2023.
  • Hackers use RMM tools to breach freighters and steal cargo shipments: Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods.
  • Android Malware Mutes Alerts, Drains Crypto Wallets: Android/BankBot-YNRK is currently targeting users in Indonesia by masquerading as legitimate applications.
  • Hackers Weaponize Remote Tools to Hijack Cargo Freight: Researchers uncovered a new threat campaign in which attackers use RMM tools to steal physical cargo out of the supply chain.
  • 🏴‍☠️ Rhysida has just published a new victim : Invacare: Invacare Invacare, founded in 1885 and headquartered out of Elyria, Ohio, is a manufacturer and distributor of home and long term care medical products.
  • 🏴‍☠️ Spacebears has just published a new victim : DOVERN Import: At DOVERN Import, we are passionate about the art of rare wines and champagnes. Since 2001, we have had the honor of selecting and importing wines and champagnes to Morocco, primarily from the prestigious terroirs of France.
  • 🏴‍☠️ Spacebears has just published a new victim : Rios Espinosa: Since 1985, at Ríos Espinosa we have been at the forefront of our sector, challenging expectations and setting trends. With offices in Sabinillas, Estepona, Sotogrande, and Seville, our team, comprised of economists, social graduates, lawyers, and registered property managers, combines experience and innovation to offer a unique service tailored to each client.
  • 🏴‍☠️ Sinobi has just published a new victim : Crown Automotive Sales: Crown Automotive Sales Co specializes in providing high-quality replacement parts for Jeep, Chrysler, and Dodge vehicles.
  • 🏴‍☠️ Devman has just published a new victim : www.heitech.com.my: Ransom: 500k 60gb
  • 🏴‍☠️ Alphalocker has just published a new victim : www.myriversidedentaloffice.com: It is dental practice devoted to restoring and enhancing the natural beauty of your smile using conservative, state-of-the-art procedures that will result in beautiful, long lasting smiles!
  • 🏴‍☠️ Play has just published a new victim : Irwin Car: United States
  • 🏴‍☠️ Interlock has just published a new victim : Bishop Ireton High School: Bishop Ayrton High School is a Catholic college preparatory school that focuses on spiritual, intellectual, creative, social, and physical development.
  • 🏴‍☠️ Interlock has just published a new victim : Pinto Coates Kyre & Bowers: Pinto Coates Kyre & Bowers is a civil litigation law firm based in Greensboro, NC, specializing in defending individuals and corporations as well as representing claimants in diverse legal matters.
  • 🏴‍☠️ Akira has just published a new victim : Moonlight Basin: Moonlight Basin offers the best snow conditions in Montana, first class rental lodging and vacation homes, fine dining, spa services, and easy access to attractions such as Yellowstone National Park… We will upload 17gb of corporate documents soon.
  • 🏴‍☠️ Akira has just published a new victim : Designs for Vision: Designs for Vision, Inc. specializes in high-quality magnification and LED headlights for dental, medical, and low vision applications. We will upload about 50gb of corporate documents soon.
  • 🏴‍☠️ Akira has just published a new victim : Mecanex USA: Mecanex USA is a U.S. subsidiary of RUAG Aviation. RUAG Aviation is a leading supplier, support provider and integrator of systems and components for civil and military aviation worldwide. We will upload 24gb of corporate documents soon.
  • 🏴‍☠️ Anubis has just published a new victim : Mayco International: Data breach at automotive industry leader.