Ransomware Update – 2025-11-21

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Obscura Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Employs a flawed encryption process that corrupts files, making them unrecoverable.
    • Targets: General targets (analyzed in a case study).
    • Decryption Status: Impossible. Files are corrupted during encryption and cannot be recovered even with a valid decryption key.
    • Source: Obscura Ransomware: A Case Study in Ransomware Data Loss

  • Multiple Ransomware Gangs (Akira, Play, Qilin, etc.):

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Primarily data exfiltration followed by threats to leak stolen information online to pressure victims into paying the ransom.
    • Targets: A wide range of global organizations across various sectors, including:
      • Akira: Wright Architectural Millwork (US), Swift Filters (US), FELA (Switzerland), Hydroscand (Sweden), AJ Jersey (US).
      • Play: Radio Sound (US), Applied Energy Systems (US), Artesian Insurance (Canada), One Source Associates (US), N C Machinery (US), Highmark Companies (US).
      • Qilin: Fayette County (US), Cimertex (Portugal), Sakol Energy Public (Thailand), Mae Krathing Power Company (Thailand), N15 Technology (Thailand), IGT (Global).
      • Incransom: naffco.com (NAFFCO, UAE).
      • Dragonforce: Kettle, Sánchez & Co (Dominican Republic).
      • Blackshrantac: Superintendencia Nacional de Fiscalización Laboral (SUNAFIL, Peru).
      • Sinobi: PATLITE (US), Croft (US), CHANGEPOND (India).
      • Ransomhouse: Makro (Wholesale).
      • Sarcoma: Söllner (Germany).
      • Nova: HostingFest (Turkey).
      • Other Groups (Coinbasecartel, Lynx, Morpheus): Various corporate entities in software, oil & gas, and staffing services.
    • Decryption Status: Not specified; focus is on data leakage threats.
    • Source: Ransomware victim notification posts from the provided news feed.

Observations and Further Recommendations

  • Ransomware attacks continue at a high volume, targeting a diverse array of industries globally, including government agencies, manufacturing, technology, energy, and professional services.
  • A prominent tactic involves exfiltrating large quantities of sensitive data (e.g., Akira, Incransom, Sarcoma) and publicly stating the volume stolen to maximize pressure on victims.
  • The Obscura ransomware analysis reveals a critical risk: flawed encryption can render data permanently unrecoverable, regardless of whether a ransom is paid. This underscores that payment is no guarantee of restoration.
  • Recommendations: Organizations should prioritize maintaining and regularly testing offline/immutable backups. A robust incident response plan must account for the possibility of irreversible data loss. Prevention remains key, focusing on multi-factor authentication (MFA), timely patching, and employee training to defend against initial access vectors.

News Details

  • SEC Drops SolarWinds Case After Years of High-Stakes Cybersecurity Scrutiny: The U.S. Securities and Exchange Commission (SEC) has abandoned its lawsuit against SolarWinds and its chief information security officer, alleging that the company had misled investors about the security practices that led to the 2020 supply chain attack.
  • Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity: Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said in an advisory.
  • ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet: Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.
  • Tsundere Botnet Expands Using Game Lures and Ethereum-Based C2 on Windows: Cybersecurity researchers have warned of an actively expanding botnet dubbed Tsundere that’s targeting Windows users. Active since mid-2025, the threat is designed to execute arbitrary JavaScript code retrieved from a command-and-control (C2) server.
  • New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices: Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. A key differentiator is its ability to bypass encrypted messaging by capturing content directly from the device screen.
  • Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt: Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.
  • TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign: Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef.
  • Google exposes BadAudio malware used in APT24 espionage campaigns: China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods.
  • Hacker claims to steal 2.3TB data from Italian rail group, Almaviva: Data from Italy’s national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization’s IT services provider, Almaviva.
  • Obscura Ransomware: A Case Study in Ransomware Data Loss: Discover how Obscura ransomware corrupts encrypted files beyond recovery, and why technical validation is key to smart ransom response decisions.
  • 🏴‍☠️ Dragonforce has just published a new victim : Kettle, Sánchez & Co: Kettle, Sánchez & Co / OARN is located in Santo Domingo. Kettle, Sánchez & Co / OARN is working in General chemical wholesale, Corporate management, Pharmacies and drug stores activities.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Superintendencia Nacional de Fiscalización Laboral: [AI generated] The “Superintendencia Nacional de Fiscalización Laboral” (SUNAFIL) is a Peruvian government agency responsible for promoting, supervising and enforcing labor rights.
  • 🏴‍☠️ Sinobi has just published a new victim : PATLITE: Founded in 1947, PATLITE Corporation is a technology engineering and manufacturing company. PATLITE provides LED status indicating lights, sound alarms, and visual and audible communication network systems.
  • 🏴‍☠️ Akira has just published a new victim : Wright ArchitecturalMillwork: Wright Architectural Millwork specializes in high-quality architectural woodwork and has been in the industry for 50 years. We will upload 87gb of corporate documents soon.
  • 🏴‍☠️ Incransom has just published a new victim : naffco.com: NAFFCO is an international manufacturer and supplier of firefighting, security, and safety products. We have 1TB of data at our disposal (fiscal data, internal mail, HR data, budgets, strategic development plans and much more).
  • 🏴‍☠️ Sarcoma has just published a new victim : Söllner: Söllner GmbH & Co. KG is a family-owned roofing company based in Plettenberg, operating for four generations since 1902. Geo: Germany – Leak size: 286 GB Archive – Contains: Files, SQL.
  • 🏴‍☠️ Nova has just published a new victim : HostingFest: As HostingFest, we provide domain name (Domain), Hosting, VDS and Dedicated servers, E-commerce infrastructures and SEO services to our individual and corporate customers. Due to encryption, the official domain is currently inaccessible.