Ransomware Update – 2025-11-19

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion; specific initial access vectors are not detailed.
    • Targets: Marine Foods Express LTD, Spark Innovation, Regional Business Systems, Kensington Court, QuaLex Manufacturing, Kdr Real Estate Services.
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware group leak site announcements.

  • Akira:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion. The group claims to have stolen 76GB of data from one victim and 25GB from another, including sensitive employee and corporate information.
    • Targets: Stoss Landscape Urbanism (a design firm), Bleyl Engineering (a civil engineering firm).
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware group leak site announcements.

  • Incransom:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion across various sectors.
    • Targets: Bais Yaakov Elementary School (Canada), Continuum India (research organization), The Ripley Academy (UK), Grande Prairie Public Library (US), Datenlotsen Informationssysteme GmbH (Germany), Zadro Inc. (US retail).
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware group leak site announcements.

  • Sinobi:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Genrose Stone + Tile, Heywood Hospital, TFC Poultry, Air Design Systems, Lincoln IT, H G Reynolds (construction).
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware group leak site announcements.

  • Safepay:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: An Italian school district, a Puerto Rican logistics company, a Colombian distributor, a Swiss garden design firm, and a Barbadian electrical contractor.
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware group leak site announcements.

  • Other Active Groups:

    • Sarcoma: Targeted B&J Rocket Sales (Swiss manufacturer), claiming a 156 GB data leak.
    • Anubis: Targeted FSGROUP-Engineering, leaking customer contact details.
    • Rhysida: Targeted Smoll & Banning, CPAs, an accounting firm in Kansas.
    • Medusalocker: Targeted dulay.ca, demanding a $40,000 ransom for 500GB of data.
    • Source: Ransomware group leak site announcements.

Observations and Further Recommendations

  • Ransomware attacks continue to impact a diverse and global range of sectors, including education, healthcare, manufacturing, public services, engineering, and retail.
  • The primary tactic observed is double extortion, where attackers not only encrypt files but also exfiltrate sensitive data and threaten to publish it on leak sites to pressure victims into paying.
  • Groups are increasingly transparent about the data they’ve stolen (e.g., PII, financial records) and sometimes even the ransom demand, aiming to maximize leverage.
  • Organizations should prioritize fundamental cybersecurity hygiene: maintain secure, offline backups of critical data; enforce multi-factor authentication (MFA) on all accounts; ensure timely patching of software and systems; and provide regular security awareness training to employees.

News Details

  • EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates: The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper “redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.”
  • ServiceNow AI Agents Can Be Tricked Into Acting Against Each Other via Second-Order Prompts: Malicious actors can exploit default configurations in ServiceNow’s Now Assist generative artificial intelligence (AI) platform and leverage its agentic capabilities to conduct prompt injection attacks.
  • Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild: Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, is an OS Command Injection flaw that may allow an authenticated attacker to execute commands.
  • Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar: The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings.
  • Meta Expands WhatsApp Security Research with New Proxy Tool and $4M in Bounties This Year: Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform’s network protocol.
  • Researchers Detail Tuoni C2’s Role in an Attempted 2025 Real-Estate Cyber Intrusion: Cybersecurity researchers have disclosed details of a cyber attack targeting a major U.S.-based real-estate company that involved the use of a nascent command-and-control (C2) and red teaming framework known as Tuoni.
  • Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks: Suspected espionage-driven threat actors from Iran have been observed deploying backdoors like TWOSTROKE and DEEPROOT as part of continued attacks aimed at aerospace, aviation, and defense industries in the Middle East.
  • Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages: Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites.
  • Microsoft Mitigates Record 15.72 Tbps DDoS Attack Driven by AISURU Botnet: Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps).
  • Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability: Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability is CVE-2025-13223, a type confusion vulnerability in the V8 JavaScript engine.
  • Cloudflare blames this week’s massive outage on database issues: On Tuesday, Cloudflare experienced its worst outage in 6 years, blocking access to many websites and online platforms for almost 6 hours after a change to database access controls triggered a cascading failure across its Global Network.
  • ‘PlushDaemon’ hackers hijack software updates in supply-chain attacks: The China-aligned advanced persistent threat (APT) tracked as ‘PlushDaemon’ is hijacking software update traffic to deliver malicious payloads to its targets.
  • New ShadowRay attacks convert Ray clusters into crypto miners: A global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet.
  • French agency Pajemploi reports data breach affecting 1.2M people: Pajemploi, the French social security service for parents and home-based childcare providers, has suffered a data breach that may have exposed personal information of 1.2 million individuals.
  • Critical Fortinet FortiWeb WAF Bug Exploited in the Wild: The vulnerability could allow an unauthenticated attacker to remotely execute administrative commands.
  • 🏴‍☠️ Qilin has just published a new victim : Marine Foods Express LTD: N/A
  • 🏴‍☠️ Akira has just published a new victim : Stoss Landscape Urbanism: Stoss Landscape Urbanism specializes in designing landscapes and social spaces that promote resilience, vitality, and equity. […] We are ready to upload more than 76GB data.
  • 🏴‍☠️ Sarcoma has just published a new victim : B&J Rocket Sales: BJ Rocket is a leading manufacturer in the tire and rubber industry, specializing in retreading blades and carbide tools. […] Geo: Switzerland – Leak size: 156 GB Archive.
  • 🏴‍☠️ Incransom has just published a new victim : baisyaakov.ca: Bais Yaakov Elementary School is dedicated to providing exceptional education for girls in the Toronto community.
  • 🏴‍☠️ Medusalocker has just published a new victim : dulay.ca: Price-$40000 (sale in one hand there are options for making a profit from these files will be included in the deal) 500Gb.