Ransomware Update – 2025-11-05

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • BlackCat (ALPHV):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Hacking into corporate networks to deploy ransomware and exfiltrate data for extortion.
    • Targets: U.S. companies, including a medical center, a financial services company, and a technology firm.
    • Decryption Status: Not specified; U.S. federal prosecutors have indicted three individuals involved in the attacks.
    • Source: U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and threatening to publish stolen data on their leak site to extort victims.
    • Targets: A wide range of U.S. companies, including Elliott Tax Service, MS Metal Solutions, General Micro Systems, and Palacios Marine & Industrial. Stolen data reportedly includes employee PII, financial documents, and confidential corporate information.
    • Decryption Status: Not applicable, as the focus is on data leak extortion. No decryption tools mentioned.
    • Source: Announcements on the Akira ransomware leak site

Observations and Further Recommendations

  • Law enforcement agencies are actively pursuing ransomware operators, as demonstrated by the U.S. indictment of individuals affiliated with the BlackCat/ALPHV ransomware gang.
  • Ransomware groups like Akira, Qilin, and Play continue to operate a “name-and-shame” model, targeting a diverse range of industries including finance, manufacturing, legal services, and technology.
  • The primary threat tactic observed is data exfiltration followed by extortion, underscoring the importance of data protection in addition to preventing initial network access.
  • Organizations should prioritize robust security measures, including network segmentation, regular data backups, and employee training, to defend against network intrusion and mitigate the impact of potential data breaches.

News Details

  • Mysterious ‘SmudgedSerpent’ Hackers Target U.S. Policy Experts Amid Iran–Israel Tensions: A never-before-seen threat activity cluster codenamed UNK_SmudgedSerpent has been attributed as behind a set of cyber attacks targeting academics and foreign policy experts between June and August 2025, coinciding with heightened geopolitical tensions between Iran and Israel.
  • U.S. Sanctions 10 North Korean Entities for Laundering $12.7M in Crypto and IT Fraud: The U.S. Treasury Department on Tuesday imposed sanctions against eight individuals and two entities within North Korea’s global financial network for laundering money for various illicit schemes, including cybercrime and information technology (IT) worker fraud.
  • Why SOC Burnout Can Be Avoided: Practical Steps: Behind every alert is an analyst; tired eyes scanning dashboards, long nights spent on false positives, and the constant fear of missing something big. It’s no surprise that many SOCs face burnout before they face their next breach.
  • CISA Adds Gladinet and CWP Flaws to KEV Catalog Amid Active Exploitation Evidence: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Gladinet and Control Web Panel (CWP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
  • A Cybercrime Merger Like No Other — Scattered Spider, LAPSUS$, and ShinyHunters Join Forces: The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025.
  • European Authorities Dismantle €600 Million Crypto Fraud Network in Global Sweep: Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).
  • Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks: Details have emerged about a now-patched critical security flaw in the popular “@react-native-community/cli” npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions.
  • Microsoft Teams Bugs Let Attackers Impersonate Colleagues and Edit Messages Unnoticed: Cybersecurity researchers have disclosed details of four security flaws in Microsoft Teams that could have exposed users to serious impersonation and social engineering attacks.
  • Ransomware Defense Using the Wazuh Open Source Platform: Ransomware is malicious software designed to block access to a computer system or encrypt data until a ransom is paid. This cyberattack is one of the most prevalent and damaging threats in the digital landscape.
  • Operation SkyCloak Deploys Tor-Enabled OpenSSH Backdoor Targeting Defense Sectors: Threat actors are leveraging weaponized attachments distributed via phishing emails to deliver malware likely targeting the defense sector in Russia and Belarus.
  • Google’s AI ‘Big Sleep’ Finds 5 New Vulnerabilities in Apple’s Safari WebKit: Google’s artificial intelligence (AI)-powered cybersecurity agent called Big Sleep has been credited by Apple for discovering as many as five different security flaws in the WebKit component used in its Safari web browser.
  • U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks: Federal prosecutors in the U.S. have accused a trio of allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.
  • Microsoft Detects “SesameOp” Backdoor Using OpenAI’s API as a Stealth Command Channel: Microsoft has disclosed details of a novel backdoor dubbed SesameOp that uses OpenAI Assistants Application Programming Interface (API) for command-and-control (C2) communications.
  • Malicious VSX Extension “SleepyDuck” Uses Ethereum to Keep Its Command Server Alive: Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck.
  • From vibe coding to context engineering: 2025 in software development: This year, we’ve seen a real-time experiment playing out across the technology industry, one in which AI’s software engineering capabilities have been put to the test against human technologists.
  • US sanctions North Korean bankers linked to cybercrime, IT worker fraud: The U.S. Treasury Department imposed sanctions on two North Korean financial institutions and eight individuals involved in laundering cryptocurrency stolen in cybercrime and fraudulent IT worker schemes.
  • Microsoft: October Windows updates trigger BitLocker recovery: Microsoft has warned that some systems may boot into BitLocker recovery after installing the October 2025 Windows security updates.
  • Hackers exploit WordPress plugin Post SMTP to hijack admin accounts: Threat actors are actively exploiting a critical vulnerability in the Post SMTP plugin installed on more than 400,000 WordPress sites, to take complete control by hijacking administrator accounts.
  • Apache OpenOffice disputes data breach claims by ransomware gang: The Apache Software Foundation disputes claims that its OpenOffice project suffered an Akira ransomware attack, after the threat actors claimed to have stolen 23 GB of corporate documents.
  • Malicious Android apps on Google Play downloaded 42 million times: Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler.
  • Microsoft removing Defender Application Guard from Office: Microsoft plans to remove Defender Application Guard from Office by December 2027, starting with the February 2026 release of Office version 2602.
  • Data breach at major Swedish software supplier impacts 1.5 million: The Swedish Authority for Privacy Protection (IMY) is investigating a cyberattack on IT systems supplier Miljödata that exposed data belonging to 1.5 million people.
  • Media giant Nikkei reports data breach impacting 17,000 people: Japanese publishing giant Nikkei announced earlier today that its Slack messaging platform had been compromised, exposing the personal information of over 17,000 employees and business partners.
  • Police arrests suspects linked to €600 million crypto fraud ring: European law enforcement authorities have arrested nine suspected money launderers who set up a cryptocurrency fraud network that stole over €600 million ($689 million) from victims across multiple countries.
  • The Top 3 Browser Sandbox Threats That Slip Past Modern Security Tools: Attackers exploit web browsers’ built-in behaviors to steal credentials, abuse extensions, and move laterally, slipping past traditional defenses.
  • Russian hackers abuse Hyper-V to hide malware in Linux VMs: The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.
  • Windows 10 update bug triggers incorrect end-of-support alerts: Microsoft says the October 2025 updates trigger incorrect end-of-support warnings on Windows 10 systems with active security coverage or still under active support.
  • Hackers exploit critical auth bypass flaw in JobMonster WordPress theme: Threat actors are targeting a critical vulnerability in the JobMonster WordPress theme that allows hijacking of administrator accounts under certain conditions.
  • Trump re-nominates billionaire Jared Isaacman to lead NASA: President Donald Trump has once again picked tech billionaire Jared Isaacman to be the next NASA Administrator, five months after pulling the initial nomination he made last year.
  • Motorola’s Edge 70 is the blueprint for future thin phones: The Edge 70 is just 5.99mm thick, but its battery almost matches the S25 Ultra’s. I’ve been as much of a thin phone skeptic as anyone.
  • Epic and Google agree to settle their lawsuit and change Android’s fate globally: Just when we thought Epic v. Google might be over, just one Supreme Court rejection away from a complete victory for Epic, both sides have agreed to settle Tuesday evening.
  • The best robot vacuums we’ve tested for 2025: Robot vacuums are impressive devices that will clean your floors well and — thanks to bigger batteries and better robot brains — rarely get tired of doing their job.
  • Google has a ‘moonshot’ plan for AI data centers in space: Google has dreamed up a potential new way to get around resource constraints for energy-hungry AI data centers on Earth — launching its AI chips into space on solar-powered satellites.
  • Valve will finally turn off the Steam Deck’s screen while it’s downloading games: Valve is testing a low-power way to complete downloads on your Steam Deck without having to leave the handheld running with the screen on.
  • Apple Podcasts is generating automatic links and chapters: Apple Podcasts will soon include automatically-generated chapters for shows in English and allow creators to add links at specific timestamps in their episodes.
  • Your Stream Deck’s ‘device not supported’ error should fix itself if you log in: Did your Stream Deck sprout a red “Device Not Supported” badge where a button used to be? If so, you were probably using BarRaider’s popular plug-ins, which apparently check to see if StreamDeck.exe is digitally signed.
  • The best deals on 4K TVs: Things are looking bright for those who want to nab a great TV in 2025 at a substantial discount. There’s usually a great deal happening on a mid- or high-end TV.
  • Microsoft AI’s first in-house image generator MAI-Image-1 is now available: Microsoft’s first in-house AI image generator, MAI-Image-1, is now available in two products, Bing Image Creator and Copilot Audio Expressions.
  • Elusive Iranian APT Phishes Influential US Policy Wonks: Iran is spying on American foreign policy influencers. But exactly which of its government’s APTs is responsible remains a mystery.
  • Kimsuky Debuts HTTPTroy Backdoor Against South Korea Users: The well-known North Korean threat group continues to improve the obfuscation and anti-analysis features of its attack toolchain.
  • Pro-Russian Hackers Use Linux VMs to Hide in Windows: A threat actor known as “Curly COMrades” is using Linux VMs to remain undetected in Windows environments while conducting Russia-aligned activities.
  • Europe Sees Increase in Ransomware, Extortion Attacks: European organizations face an escalating cyber threat landscape as attackers leverage geopolitical tensions and AI-enhanced social engineering for attacks.
  • SesameOp Backdoor Uses OpenAI API for Covert C2: Malware used in a months-long attack demonstrates how bad actors are misusing generative AI services in unique and stealthy ways.
  • Android Malware Mutes Alerts, Drains Crypto Wallets: Android/BankBot-YNRK is currently targeting users in Indonesia by masquerading as legitimate applications.
  • On the Road Again: Hackers Hijack Physical Cargo Freight: In a new cyber threat campaign, attackers are using remote monitoring and management tools to actually steal physical cargo out of the trucking and freight supply chain.
  • 🏴‍☠️ Qilin has just published a new victim : Habib Bank AG Zurich: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Habib Bank: N/A
  • 🏴‍☠️ Nightspire has just published a new victim : Enem Nostrum Remedies Pvt. Ltd: Enem Nostrum Remedies Pvt. Ltd
  • 🏴‍☠️ Qilin has just published a new victim : Durvet: N/A
  • 🏴‍☠️ Play has just published a new victim : ConvExx: United States
  • 🏴‍☠️ Play has just published a new victim : Sellars Absorbent Materials: United States
  • 🏴‍☠️ Play has just published a new victim : American PowerNet: United States
  • 🏴‍☠️ Payoutsking has just published a new victim : Ir:
  • 🏴‍☠️ Incransom has just published a new victim : thevisapro.com (Yibirin Law Group): all client cases, personal data
  • 🏴‍☠️ Coinbasecartel has just published a new victim : Property Finder / PropSpace: Samples on Friday/
  • 🏴‍☠️ Qilin has just published a new victim : Mango’s Tropical Cafe: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Prova: N/A
  • 🏴‍☠️ Akira has just published a new victim : MS Metal Solutions: MS Metal Solutions offers a wide range of manufacturing capabilities including cutting, welding, and powder coating to cater to diverse industries such as automotive, agriculture, and office furniture.
  • 🏴‍☠️ Akira has just published a new victim : Elliott Tax Service: Elliott Tax Service is a local firm in San Mateo specializing in income tax preparation and advice, boasting 27 years of experience.
  • 🏴‍☠️ Thegentlemen has just published a new victim : St Stephen’s International: www.sis.edu St Stephen’s International School offers educational programs at its Bangkok and Khao Yai campuses, catering to a diverse student population.
  • 🏴‍☠️ Rhysida has just published a new victim : Automated Logistics Systems: Automated Logistics Systems
  • 🏴‍☠️ Akira has just published a new victim : Benda Grace Stulz: You Are Number One at Benda, Grace, Stulz & Co. operates in the Certified Public Accountant business/industry within the Engineering, Accounting, Research, and Management Services sector.
  • 🏴‍☠️ Akira has just published a new victim : Palacios Marine & Industrial: Palacios Marine Industrial (PMI) offers quality contracting and service solutions while prioritizing environmental health and safety.
  • 🏴‍☠️ Akira has just published a new victim : General Micro Systems: General Micro Systems (GMS) is the rugged server company. The company is known as the industry expert in highest-density, modular, compute-intensive, and rugged small form-factor embedded computing systems, servers, and switches.
  • 🏴‍☠️ Rhysida has just published a new victim : Invacare: Invacare, founded in 1885 and headquartered out of Elyria, Ohio, is a manufacturer and distributor of home and long term care medical products.
  • 🏴‍☠️ Spacebears has just published a new victim : DOVERN Import: At DOVERN Import, we are passionate about the art of rare wines and champagnes. Since 2001, we have had the honor of selecting and importing wines and champagnes to Morocco, primarily from the prestigious terroirs of France.
  • 🏴‍☠️ Spacebears has just published a new victim : Rios Espinosa: Since 1985, at Ríos Espinosa we have been at the forefront of our sector, challenging expectations and setting trends. With offices in Sabinillas, Estepona, Sotogrande, and Seville, our team combines experience and innovation.
  • 🏴‍☠️ Sinobi has just published a new victim : Crown Automotive Sales: Crown Automotive Sales Co specializes in providing high-quality replacement parts for Jeep, Chrysler, and Dodge vehicles.
  • 🏴‍☠️ Devman has just published a new victim : www.heitech.com.my: Ransom: 500k 60gb
  • 🏴‍☠️ Alphalocker has just published a new victim : www.myriversidedentaloffice.com: It is dental practice devoted to restoring and enhancing the natural beauty of your smile using conservative, state-of-the-art procedures that will result in beautiful, long lasting smiles!
  • 🏴‍☠️ Play has just published a new victim : Irwin Car: United States