Ransomware Update – 2025-11-09

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Ransomvibing Malware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Distributed via malicious Visual Studio (VS) Code extensions. The malware encrypts and exfiltrates user data.
    • Targets: Developers and users of the Visual Studio Code marketplace.
    • Decryption Status: No information on decryption methods is available.
    • Source: ‘Ransomvibing’ Infests Visual Studio Extension Market

  • Ransomware Groups Announce New Victims:

    • Prominent Details: Multiple ransomware groups have publicly named new victims on their data leak sites as a pressure tactic. Technical details about the attacks were not included in the announcements.
    • Affected Groups and Notable Victims:
      • Qilin: Announced numerous victims, including Hitzinger, Gadge USA, Scouts Canada, and the Village of New Lenox.
      • Medusa: Claimed attacks on Simon Property Group, Clackamas Community College (allegedly exfiltrating 1.21 TB of data), LaRosa’s Pizzeria, and PT Kalimantan Prima Persada.
      • Dragonforce: Named Ponzini S.p.A., GB Mail, and DCS TECHNOLOGIES INC. as victims.
      • Akira: Listed Mold In Graphic Systems, threatening to release 15GB of corporate and employee data.
      • Other Groups: Handala, Securotrop, and Stormous also posted new victim announcements.
    • Source: Various ransomware leak site publications.

Observations and Further Recommendations

  • Developers and Supply Chains Under Attack: A clear trend involves targeting the software development lifecycle. Malicious NuGet packages with sabotage “time bombs” and “Ransomvibing” malware in VS Code extensions highlight significant risks in the software supply chain.
  • Persistent Use of Zero-Day Exploits: Threat actors continue to successfully leverage undisclosed vulnerabilities. The LANDFALL spyware campaign used a Samsung zero-day (CVE-2025-21042) for targeted attacks, while QNAP patched seven zero-days found in its NAS devices, demonstrating the critical importance of rapid patching.
  • Ransomware Extortion Remains Widespread: Numerous ransomware gangs, including Qilin, Medusa, and Dragonforce, are actively using the “name-and-shame” model. They are targeting a diverse range of sectors, from public services and education to major commercial enterprises, confirming that data extortion is a primary and effective cybercriminal strategy.
  • General Recommendations: Organizations should implement stringent security vetting for all third-party code libraries, dependencies, and development tools. Maintaining an aggressive patch management program is essential to mitigate the risk of zero-day exploitation.

News Details

  • Microsoft Uncovers ‘Whisper Leak’ Attack That Identifies AI Chat Topics in Encrypted Traffic: Microsoft has disclosed details of a novel side-channel attack targeting remote language models that could enable a passive adversary with capabilities to observe network traffic to glean details about model conversation topics despite encryption protections under certain circumstances.
  • Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware: A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
  • OpenAI plans to release GPT-5.1, GPT-5.1 Reasoning, and GPT-5.1 Pro: OpenAI is preparing the GPT-5.1 family for public rollout. This includes GPT-5.1 (base), GPT-5.1 Reasoning, and GPT-5.1 Pro for those who pay a $200 monthly subscription.
  • GlassWorm malware returns on OpenVSX with 3 new VSCode extensions: The GlassWorm malware campaign, which impacted the OpenVSX and Visual Studio Code marketplaces last month, has returned with three new VSCode extensions that have already been downloaded over 10,000 times.
  • Still on Windows 10? Enroll in free ESU before next week’s Patch Tuesday: With the first Patch Tuesday following Windows 10’s end of support approaching next week, users who continue to run the operating system should enroll in the Extended Security Updates (ESU) program to remain protected against newly discovered security vulnerabilities.
  • Malicious NuGet packages drop disruptive ‘time bombs’: Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.
  • Microsoft testing faster Quick Machine Recovery in Windows 11: Microsoft is testing a faster version of Quick Machine Recovery (QMR) and updated Smart App Control (SAC), allowing users to toggle it without requiring a Windows clean install.
  • QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own: QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
  • New LandFall spyware exploited Samsung zero-day via WhatsApp messages: A threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called ‘LandFall’ using malicious images sent over WhatsApp.
  • The best earbuds we’ve tested for 2025: It’s hard to buy a bad pair of wireless earbuds these days, and with constant discounts and deals wherever you look, now is as good a time as any to splurge on the pair you’ve been eyeing. The market has come a long way since the early era of true wireless earbuds when we had to deal with mediocre sound quality and unreliable performance, all for the sake of ditching cables.
  • Apple helped kill netbooks. Will it bring them back?: Rumor has it, Apple is working on a low-cost MacBook. And not “low-cost for a Mac,” but a proper cheap laptop, possibly as low as $599. For a company that traditionally targets the more premium end of the market, this would be something of an about-face.
  • Halo Infinite is about to get its last major update: On November 18th, Operation: Infinite will be released for Halo Infinite players with a battle pass and lots of new customizations, but according to the team, that’s it for this game’s content updates.
  • The best Fitbits for your fitness and health: In 2025, you might wonder if Fitbit is still relevant. Despite being acquired by Google, Fitbit remains one of the most recognizable names in the industry. Fitbit trackers aren’t meant for the most hardcore of athletes, but they’re still excellent devices for tracking overall activity as well as monitoring certain health and wellness metrics, like EKGs and blood oxygen levels.
  • ‘Landfall’ Malware Targeted Samsung Galaxy Users: The tool let its operators secretly record conversations, track device locations, capture photos, collect contacts, and perform other surveillance on compromised devices.
  • ‘Ransomvibing’ Infests Visual Studio Extension Market: A published VS Code extension didn’t hide the fact that it encrypts and exfiltrates data and also failed to remove obvious signs it was AI-generated.
  • 🏴‍☠️ Qilin has just published a new victim : Hitzinger: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Gadge USA: N/A
  • 🏴‍☠️ Qilin has just published a new victim : JC Auto Accident Law Firm: N/A
  • 🏴‍☠️ Dragonforce has just published a new victim : Ponzini S.p.A.: Founded in 1862, Ponzini S.p.A. is a global leader in personal care product manufacturing.
  • 🏴‍☠️ Handala has just published a new victim : Saturday Spotlight: As per our unbreakable tradition, every Saturday, the world awaits the chilling revelation from Handala RedWanted. This week, we pull back the mask on eight more Zionist criminals…
  • 🏴‍☠️ Akira has just published a new victim : Mold In Graphic Systems: Mold In Graphic Systems specializes in providing permanent labeling solutions for plastic durable goods using their unique Polymer Fusion Labels. We will upload 15gb of corporate documents soon.
  • 🏴‍☠️ Medusa has just published a new victim : Simon Property Group: Simon Property Group is a leading real estate investment trust (REIT) based in Indianapolis, Indiana. Founded in 1993, it owns, develops, and manages premier shopping malls, outlets, and lifestyle centers…
  • 🏴‍☠️ Medusa has just published a new victim : Clackamas Community College: Clackamas Community College offers a variety of academic programs including associate degrees, certificates, and customized training for various career pathways… The total amount of data leakage is 1.21 TB.