Ransomware Update – 2025-11-12

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • RansomHub:

    • New Encrypted File Extension: Not specified (attack was stopped before file encryption).
    • Attack Methods: Initial compromise through fake browser updates, leading to domain-administrator takeover. The attack was initially detected due to a sudden CPU spike on a server.
    • Targets: Corporate networks.
    • Decryption Status: Not applicable as encryption was prevented.
    • Source: Provided news article titled “How a CPU spike led to uncovering a RansomHub ransomware attack”.

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Primarily data exfiltration for double extortion.
    • Targets: Real estate (Treetop Companies, Miromar), legal (Barry Sallinger Law), and CPA/consulting firms (Rhodes Young Black & Duncan).
    • Decryption Status: Not specified in the articles.
    • Source: Provided ransomware leak site announcements.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for double extortion.
    • Targets: Diverse sectors including forensic medical services, financial platforms (Galileo), industrial manufacturing (Wiraswasta Gemilang), energy (Sarulla Operation), media (modcomedia.com), non-profits, and school districts.
    • Decryption Status: Not specified in the articles.
    • Source: Provided ransomware leak site announcements.

  • Ransomhouse:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for double extortion.
    • Targets: Varied industries including textiles (Fulgar S.p.A.), finance/insurance (Public Safety Mutual Benefit Fund), technology/manufacturing (Octomeca Oy), and construction (Polidano Group).
    • Decryption Status: Not specified in the articles.
    • Source: Provided ransomware leak site announcements.

  • Multiple Other Groups (Anubis, Devman, Genesis, Kazu, Play, Qilin, etc.):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion are the common tactics mentioned.
    • Targets: A broad range of victims across healthcare (Olive Branch Family Medical Center), government (National Civil Service Commission of Colombia), manufacturing (Irwin Car), legal services, and construction.
    • Decryption Status: Not specified in the articles.
    • Source: Provided ransomware leak site announcements.

Observations and Further Recommendations

  • A large number of ransomware groups are actively announcing victims from a wide array of industries, including healthcare, finance, manufacturing, legal, real estate, and government. This signifies a widespread and opportunistic threat landscape.
  • The attack methods described focus heavily on data exfiltration for double extortion, where attackers threaten to leak stolen data if the ransom is not paid.
  • The RansomHub incident highlights the importance of monitoring for unusual system behavior, such as unexpected CPU spikes, which can be an early indicator of compromise. Initial access through common methods like fake software updates remains a prevalent threat.
  • Organizations should prioritize robust security measures, including endpoint detection and response (EDR) solutions, regular employee training on phishing and social engineering, and maintaining immutable, offline backups to ensure recoverability.

News Details

  • Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security: Active Directory remains the authentication backbone for over 90% of Fortune 1000 companies. AD’s importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity. Every application, user, and device traces back to AD for authentication and authorization, making it the ultimate target.
  • Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack: Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity.
  • Google Launches ‘Private AI Compute’ — Secure AI Processing with On-Device-Level Privacy: Google on Tuesday unveiled a new privacy-enhancing technology called Private AI Compute to process artificial intelligence (AI) queries in a secure platform in the cloud. The company said it has built Private AI Compute to “unlock the full speed and power of Gemini cloud models for AI experiences, while ensuring your personal data stays private to you and is not accessible to anyone else.”
  • WhatsApp Malware ‘Maverick’ Hijacks Browser Sessions to Target Brazil’s Biggest Banks: Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. According to a report from CyberProof, both malware strains are written in .NET, target Brazilian users and banks, and feature identical functionality.
  • GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites: The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions.
  • How a CPU spike led to uncovering a RansomHub ransomware attack: A sudden CPU spike turned out to be the first clue of an in-progress RansomHub ransomware attack. Varonis breaks down how their team traced the attack from fake browser updates to domain-admin takeover, ultimately stopping the attack before files were encrypted.
  • Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature: Google’s Mandiant Threat Defense on Monday said it discovered n-day exploitation of a now-patched security flaw in Gladinet’s Triofox file-sharing and remote access platform. The critical vulnerability, tracked as CVE-2025-12480 (CVSS score: 9.1), allows an attacker to bypass authentication.
  • Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weapon: The North Korea-affiliated threat actor known as Konni has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. “Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs.”
  • Rhadamanthys infostealer disrupted as cybercriminals lose server access: The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
  • Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws: Today is Microsoft’s November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability.
  • GlobalLogic warns 10,000 employees of data theft after Oracle breach: GlobalLogic, a provider of digital engineering services part of the Hitachi group, is notifying over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach.
  • Google is trying to take down a group sending you all those spammy texts: If you’ve ever received a spammy text falsely alerting you to an unpaid toll or failed delivery, it might have come from a so-called Phishing-as-a-Service network that Google is now trying to take down. Google filed suit against several unnamed defendants it says make up an enterprise called Lighthouse.
  • 🏴‍☠️ Incransom has just published a new victim : forensicmed.com: Forensic Medical is a comprehensive forensic pathology company headquartered in Nashville, Tennessee, which provides medical examiner, death investigation, medical autopsy services, expert forensic testimony and forensic management services to government agencies and private individuals.
  • 🏴‍☠️ Incransom has just published a new victim : galileo.it: Galileo is a global payments platform that powers fintech, financial services, and investment firms by removing the complexity of payments. We’re a proven financial technology platform, an innovation engine and a leader in card issuing, payments and digital banking.
  • 🏴‍☠️ Akira has just published a new victim : Treetop Companies: Treetop Companies is a real estate investment firm founded in 2005 by Azi Mandel and Adam Mermelstein. We will upload almost 100gb of corporate documents soon. Lots of confidential files, clients personal documents (passports, driver’s licenses, financials), other internal client information, NDA, etc.
  • 🏴‍☠️ Devman has just published a new victim : ctfc.cat: Ransom: 248000. 30gb of files exfiltrated.
  • 🏴‍☠️ Crypto24 has just published a new victim : AsahiKASEI MICRODEVICES: …
  • 🏴‍☠️ Incransom has just published a new victim : Wiraswasta Gemilang: PT Wiraswasta Gemilang Indonesia (WGI) is the first and largest private lubricant plant in Indonesia, specializing in re-refinery and blending services.
  • 🏴‍☠️ Ransomhouse has just published a new victim : Fulgar S.p.A.: Fulgar S.p.A. is an international leader in the production of polyamide yarns and covered elastomers, known for its commitment to quality, innovation, and sustainability.
  • 🏴‍☠️ Sarcoma has just published a new victim : Paul Hildebrandt: Paul Hildebrandt AG is a leading packaging company offering over 50,000 products… Geo: Germany – Leak size: 1,4 TB Archive – Contains: Files, SQL, Exchange.