Ransomware Update – 2025-11-22

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Clop:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for double extortion.
    • Targets: A wide range of organizations across various sectors, including HCMSPARTNERS.COM, DMC-ME.COM, MSG.COM, INTELLINUM.COM, MACYS.COM, HYPERTHERM.COM, ZAIN.COM, LEGACYCLASSIC.COM, AOSOM.COM, GREENBALL.COM, SUMITOMOCHEMICAL.COM, MICHELIN.COM, DOONEY.COM, BROADCOM.COM, ENVOY.COM, A10NETWORKS.COM, and RIDERTA.COM, among many others.
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, threatening to publish stolen corporate and personal data.
    • Targets: Multiple companies including PM Plastics, Reliable Van & Storage, First Fruits Farms, and Electro Mechanical Industries.
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

  • Medusa:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for public extortion.
    • Targets: General Distributing, FDC Interiors, MFE Formwork Technology, and Nationwide Legal LLC.
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Kajima Europe, Interlink Trade Services, Alma Realty, and XOX Mobile.
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Woom GmbH (an international bike manufacturer) and TBTEAM (OnSolve, a critical event management provider).
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

  • Other Active Groups:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Various groups have listed new victims: Pear (Medical Center, LLP), Securotrop (Mister Guns), Thegentlemen (Sansala, Colliers), Devman (gsccca.org, procure.com), Ransomhouse (Fucerep), Rhysida (Wachusett School District MA), and Datacarry (UAM).
    • Decryption Status: No decryption information available; the focus is on data leaks.
    • Source: Sourced from threat intelligence feeds.

Observations and Further Recommendations

  • A significant number of ransomware groups, including Clop, Akira, and Medusa, are highly active, publicly listing numerous victims from a diverse range of industries such as retail, technology, manufacturing, and legal services.
  • The primary tactic observed is double extortion, where attackers exfiltrate sensitive data before or instead of encrypting systems, then threaten to leak the stolen information to pressure victims into paying a ransom.
  • Organizations should prioritize robust security measures, including multi-factor authentication (MFA), network segmentation, and regular patching of known vulnerabilities like the Oracle Identity Manager flaw (CVE-2025-61757) mentioned in the news. Employee training on phishing awareness is also critical, as phishing remains a common initial access vector.

News Details

  • Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks: Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. “This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims across operating systems,” Blackfog researcher Brenda Robb said in a Thursday report.
  • CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8).
  • Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation: Grafana has released security updates to address a maximum severity security flaw that could allow privilege escalation or user impersonation under certain configurations. The vulnerability, tracked as CVE-2025-41115, carries a CVSS score of 10.0.
  • ShadowRay 2.0 Exploits Unpatched Ray Flaw to Build Self-Spreading GPU Cryptomining Botnet: Oligo Security has warned of ongoing attacks exploiting a two-year-old security flaw in the Ray open-source artificial intelligence (AI) framework to turn infected clusters with NVIDIA GPUs into a self-replicating cryptocurrency mining botnet.
  • APT24 Deploys BADAUDIO in Years-Long Espionage Hitting Taiwan and 1,000+ Domains: A China-nexus threat actor known as APT24 has been observed using a previously undocumented malware dubbed BADAUDIO to establish persistent remote access to compromised networks as part of a nearly three-year campaign.
  • Salesforce Flags Unauthorized Data Access via Gainsight-Linked OAuth Activity: Salesforce has warned of detected “unusual activity” related to Gainsight-published applications connected to the platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the company said.
  • 🏴‍☠️ Qilin has just published a new victim : Kajima Europe: N/A
  • 🏴‍☠️ Pear has just published a new victim : Medical Center, LLP: Family Medicine and Primary Care Practice in Dublin, GA
  • 🏴‍☠️ Incransom has just published a new victim : Woom GmbH: woom is an international manufacturer of bikes for children and teenagers with its headquarters in Klosterneuburg, outside of Vienna.
  • 🏴‍☠️ Clop has just published a new victim : MACYS.COM: Macy’s.com is the online platform of Macy’s, Inc., one of the premier retailers in the United States.
  • 🏴‍☠️ Akira has just published a new victim : First Fruits Farms: First Fruits Farms, located in Prescott, Washington, is an agricultural company that specializes in apple and cherry orchards. We will upload 26gb of corporate documents soon.
  • 🏴‍☠️ Rhysida has just published a new victim : Wachusett School District MA: Wachusett School District MA is a public school district.