Ransomware Update – 2025-11-13

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Operation Endgame Law Enforcement Action:

    • New Encrypted File Extension: Not Applicable
    • Attack Methods: Coordinated international law enforcement operation dismantled the infrastructure of several major malware families, including the Rhadamanthys Stealer, Venom RAT, and Elysium botnet, which are often used as precursors or enablers for ransomware attacks. Over 1,000 servers were taken down.
    • Targets: The criminal infrastructure and operators behind the specified malware.
    • Decryption Status: This was a takedown operation, not a release of decryption tools.
    • Source: Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown

  • DanaBot Malware Resurgence:

    • New Encrypted File Extension: Not Applicable
    • Attack Methods: The DanaBot malware, a banking trojan often used for initial access leading to ransomware, has returned in a new version after a six-month break following the initial “Operation Endgame” disruption.
    • Targets: Windows systems.
    • Decryption Status: Not Applicable (DanaBot is an initial access trojan).
    • Source: DanaBot malware is back to infecting Windows after 6-month break

  • Leak Site Activity (Multiple Groups):

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: Numerous ransomware groups are continuing data exfiltration and extortion campaigns, publishing victims on their leak sites after failed negotiations.
    • Targets: A wide range of global industries, with recent victims including:
      • Healthcare & Biotech: Vikor Scientific, KorPath (Everest)
      • Staffing & Professional Services: Cornerstone Staffing Solutions (Qilin), Latamlex (Incransom)
      • Education: Dover City Schools (Safepay)
      • Manufacturing & Technology: AsahiKASEI MICRODEVICES (Crypto24), Fulgar S.p.A. (Ransomhouse)
      • Real Estate & Finance: Treetop Companies (Akira), Galileo (Incransom)
    • Decryption Status: No decryption information available; the focus is on data leak threats.
    • Source: Various ransomware leak site monitoring reports.

Observations and Further Recommendations

  • Law enforcement continues to achieve significant success in disrupting cybercrime infrastructure, as seen with “Operation Endgame.” However, the rapid resurgence of threats like DanaBot highlights the resilience of these criminal networks.
  • Ransomware attacks remain sector-agnostic, targeting a diverse range of industries from healthcare and education to manufacturing and legal services.
  • The primary tactic remains data exfiltration for extortion purposes, where the threat of publishing sensitive data is used as leverage for payment.
  • Organizations should prioritize patching critical vulnerabilities, such as the recently exploited flaws in WatchGuard, Cisco, and Citrix products mentioned in the news, to reduce their attack surface. Implementing robust security measures for identity and access management systems like Active Directory is also crucial.

News Details

  • When Attacks Come Faster Than Patches: Why 2026 Will be the Year of Machine-Speed Security: The Race for Every New CVE
    Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race
  • Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown: Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust.
    The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers
  • ThreatsDay Bulletin: Cisco 0-Days, AI Bug Bounties, Crypto Heists, State-Linked Leaks and 20 More Stories: Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us.
  • CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
  • Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack: Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.
  • Google Sues China-Based Hackers Behind $1 Billion Lighthouse Phishing Platform: Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries.
  • Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws: Amazon’s threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware.
  • [Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR: Every day, security teams face the same problem—too many risks, too many alerts, and not enough time. You fix one issue, and three more show up. It feels like you’re always one step behind.
  • Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security: Active Directory remains the authentication backbone for over 90% of Fortune 1000 companies. AD’s importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity.
  • Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack: Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild.
  • Google Launches ‘Private AI Compute’ — Secure AI Processing with On-Device-Level Privacy: Google on Tuesday unveiled a new privacy-enhancing technology called Private AI Compute to process artificial intelligence (AI) queries in a secure platform in the cloud.
  • WhatsApp Malware ‘Maverick’ Hijacks Browser Sessions to Target Brazil’s Biggest Banks: Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp.
  • Police disrupts Rhadamanthys, VenomRAT, and Elysium malware operations: Law enforcement authorities from 9 countries have taken down 1,025 servers used by the Rhadamanthys infolstealer, VenomRAT, and Elysium botnet malware operations in the latest phase of Operation Endgame, an international action targeting cybercrime. […]
  • CISA warns of WatchGuard firewall flaw exploited in attacks: CISA has ordered federal agencies to patch an actively exploited vulnerability in WatchGuard Firebox firewalls, which allows attackers to gain remote code execution on compromised devices. […]
  • Google sues to dismantle Chinese phishing platform behind US toll scams: Google has filed a lawsuit to dismantle the “Lighthouse” phishing-as-a-service platform used by cybercriminals worldwide to steal credit card information through SMS phishing attacks impersonating the U.S. Postal Service and E-ZPass toll systems. […]
  • Windows 11 now supports 3rd-party apps for native passkey management: Microsoft announced that passwordless authentication is now easier on Windows 11 through native support for third-party passkey managers, the first ones supported being 1Password and Bitwarden. […]
  • DanaBot malware is back to infecting Windows after 6-month break: The DanaBot malware has returned with a new version observed in attacks, six-months after law enforcement’s Operation Endgame disrupted its activity in May. […]
  • Microsoft fixes bug causing false Windows 10 end-of-support alerts: Microsoft has resolved a bug causing incorrect Windows 10 end-of-support warnings on systems with active security coverage or still under active support after installing the October 2025 updates. […]
  • Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks: An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2” (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware. […]
  • Synnovis notifies of data breach after 2024 ransomware attack: Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients’ data. […]
  • 🏴‍☠️ Everest has just published a new victim : Vikor Scientific, LLC / Korgene: [AI generated] Vikor Scientific, LLC / Korgene is a specialized molecular diagnostics company dedicated to advancing the healthcare sector through innovation. They offer comprehensive, customized diagnostic tests to clinicians for better patient outcomes.
  • 🏴‍☠️ Qilin has just published a new victim : Cornerstone Staffing Solutions: N/A
  • 🏴‍☠️ Akira has just published a new victim : Treetop Companies: Treetop Companies is a real estate investment firm founded in 2005 by Azi Mandel and Adam Mermelstein. We will upload almost 100gb of corporate documents soon. Lots of confidential files, clients personal documents (passports, drivers licenses, financials), other internal client information, NDA, etc.
  • 🏴‍☠️ Incransom has just published a new victim : latamlex (gyg.local): Latamlex is a regional law firm with a team of over 100 attorneys and more than 20 years of experience, recognized for its expertise in various legal areas including arbitration, corporate law, and intellectual property.