Ransomware Update – 2025-11-15

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploiting vulnerabilities to encrypt Nutanix AHV virtual machines; data theft and extortion.
    • Targets: Critical organizations using Nutanix virtualization. Victims recently listed include Barnhart, Basin Harbor, Waukegan Steel, Valley Banks, Aero Precision, A-B Communications, and Barbizon Lighting Company, among others.
    • Decryption Status: No known method yet.
    • Source: CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs

  • Kraken:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Benchmarks system performance to select the most efficient encryption method, aiming to encrypt data quickly without overloading the targeted machine.
    • Targets: Windows, Linux, and VMware ESXi systems.
    • Decryption Status: No known method yet.
    • Source: Kraken ransomware benchmarks systems for optimal encryption choice

  • Clop:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft attacks targeting Oracle E-Business Suite, followed by extortion.
    • Targets: Confirmed attack on hardware giant Logitech. Numerous other victims were posted on their leak site, including ENTRUST.COM, NHS.UK, DARTMOUTH.EDU, SATO-GLOBAL.COM, and FLUKE.COM.
    • Decryption Status: Not applicable (extortion based on data theft).
    • Source: Logitech confirms data breach after Clop extortion attack

  • ShinyHunters:

    • New Encrypted File Extension: Not applicable.
    • Attack Methods: Breached a legacy cloud storage system for data theft and extortion.
    • Targets: UK financial technology company Checkout.com.
    • Decryption Status: Not applicable (extortion based on data theft).
    • Source: Checkout.com snubs hackers after data breach, to donate ransom instead

  • General Ransomware Trends / LockBit’s Return:

    • New Encrypted File Extension: Not applicable.
    • Attack Methods: General trend analysis, not a specific attack method.
    • Targets: Global, across all industries.
    • Details: The ransomware ecosystem is highly fragmented, with 85 active groups observed in Q3 2025 and 1,590 victims disclosed. Activity remains high despite law enforcement actions, and the major brand LockBit has reappeared.
    • Source: Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns

  • Various Ransomware & Extortion Groups:

    • Details: Multiple ransomware and extortion groups, including Incransom, Qilin, Play, Worldleaks, Crypto24, Safepay, Chaos, Everest, and Anubis, have published new victims on their data leak sites.
    • Attack Methods: Primarily data theft followed by public extortion.
    • Targets: A diverse range of organizations, including Eakas Corp., Kaan Cronenberg & Partners Law (Incransom), Killingly Public Schools (Safepay), Bayu Buana Travel Service (Crypto24), and FullBeauty Brands (Everest).
    • Decryption Status: Not applicable (extortion model).
    • Source: Various ransomware leak site announcements.

Observations and Further Recommendations

  • The ransomware landscape is increasingly decentralized and resilient, with a record 85 active groups in Q3 2025. New groups quickly form after takedowns, and established players like LockBit are returning to activity.
  • Attackers continue to target specific enterprise technologies. Akira is focusing on Nutanix virtual machines, while Clop has exploited Oracle E-Business Suite, highlighting the need for robust security around critical infrastructure and applications.
  • Data exfiltration for extortion remains a dominant strategy, with many groups prioritizing data theft over system encryption.
  • It is crucial for organizations to maintain rigorous patch management, especially for widely used products like Fortinet FortiWeb, which had a recently exploited zero-day. Securing virtual environments and legacy cloud storage is also essential.

News Details

  • CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs: US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.
  • Kraken ransomware benchmarks systems for optimal encryption choice: The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them.
  • Logitech confirms data breach after Clop extortion attack: Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.
  • Checkout.com snubs hackers after data breach, to donate ransom instead: UK financial technology company Checkout announced that the ShinyHunters threat group has breached one of its legacy cloud storage systems and is now extorting the company for a ransom.
  • Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns: Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit’s reappearance with refreshed infrastructure is a major development.
  • Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts: Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb Web Application Firewall (WAF) that could allow an attacker to take over admin accounts and completely compromise a device.
  • Five U.S. Citizens Plead Guilty to Helping North Korean IT Workers Infiltrate 136 Companies: The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea’s illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions.
  • North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels: The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads.
  • Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets: The Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations that are of interest to the Islamic Revolutionary Guard Corps (IRGC) as part of a new espionage-focused campaign.
  • Chinese Hackers Use Anthropic’s AI to Launch Automated Cyber Espionage Campaign: State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a “highly sophisticated espionage campaign” in mid-September 2025.
  • Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests’ Payment Data: A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year.
  • DoorDash hit by new data breach in October exposing user information: DoorDash has disclosed a data breach that hit the food delivery platform this October.
  • 🏴‍☠️ Akira has just published a new victim : Barbizon Lighting Company, Roseburrough Tool, Mqd, McKay Empire, Victor Insulators.: We obtained about 15gb of the following companies: The Barbizon Lighting Company specializes in sales, integration and services of lighting and rigging equipment…
  • 🏴‍☠️ Clop has just published a new victim : NHS.UK: [AI generated] NHS.UK, operated by the National Health Service of England, plays a crucial role in providing health-related services and information to the UK population.
  • 🏴‍☠️ Incransom has just published a new victim : eakas.com: Eakas Corp. specializes in producing both functional and decorative products for the automotive industry, serving as a Tier 1 supplier to manufacturers in the United States.
  • 🏴‍☠️ Safepay has just published a new victim : killinglyschools.org: Killingly Public Schools is a K-12 public school district based in Danielson, Connecticut, serving students in the town of Killingly.