Ransomware Update – 2025-11-23

Latest Ransomware News and New File Extensions

• Qilin:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: An investigation revealed the use of rogue ScreenConnect access for initial entry, followed by failed infostealer attempts before executing the ransomware.
  • Targets: Nissan Capital, Kajima Europe, Interlink Trade Services, and an entity referred to as “Mmlk”.
  • Decryption Status: No known decryption method mentioned.
  • Source: Piecing Together the Puzzle: A Qilin Ransomware Investigation; Ransomware leak site reports.

• Dragonforce:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: Bodega San Huberto, Parsirang, Summit Construction Supply, Nugent Supply, Fueling Solutions Inc., Healthcare & More, Barr Trucking Inc., F-W-S Countertops, C&M Software.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Clop:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: A large number of victims were announced, including Macy’s (macys.com), Zain Group (zain.com), Hypertherm (hypertherm.com), The Madison Square Garden Company (msg.com), and many others across various sectors.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Akira:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: First Fruits Farms and a collection of companies including PM Plastics, Reliable Van & Storage, Landis, Whitinger Strategic Services, and Kimber Manufacturing.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Medusa:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: General Distributing, FDC Interiors, MFE Formwork Technology, Nationwide Legal LLC.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Incransom:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: OnSolve (onsolve.com), Woom GmbH, TBTEAM.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Play:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Not specified in the articles.
  • Targets: Katch Kan, Keystone Fabricating, Turkstra Trusses.
  • Decryption Status: No known decryption method mentioned.
  • Source: Ransomware leak site reports.

• Other Active Groups:

  • Rhysida: Targeted St. Joseph’s Healthcare Hamilton.
  • Lynx: Targeted Vantec Europe (vanteceurope.com).
  • Pear: Targeted a Medical Center, LLP in Dublin, GA.
  • Devman: Targeted gsccca.org and procure.com.
  • Thegentlemen: Targeted Sansala and Colliers.
  • Worldleaks: Targeted Nuclebrás Equipamentos Pesados.
  • Handala: Claimed to have exposed data on 10 individuals from the “Zionist regime’s aerospace elite.”
  • Securotrop: Targeted Mister Guns.

Observations and Further Recommendations

• A significant volume of attacks was reported by numerous ransomware groups, including Qilin, Dragonforce, Clop, and Akira, indicating a highly active and widespread threat landscape.
• The targeted entities are diverse, spanning industries such as automotive, finance, healthcare, manufacturing, legal services, and construction across multiple countries.
• The investigation into the Qilin ransomware attack highlights the exploitation of legitimate remote access tools like ScreenConnect as a common entry vector.
• Organizations should prioritize securing and monitoring remote access software, maintaining offline backups, and implementing robust endpoint detection and response (EDR) solutions to mitigate these threats.

News Details

• China-Linked APT31 Launches Stealthy Cyberattacks on Russian IT Using Cloud Services: The China-linked advanced persistent threat (APT) group known as APT31 has been attributed to cyber attacks targeting the Russian information technology (IT) sector between 2024 and 2025 while staying undetected for extended periods of time.
• Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks: Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2.
• CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
• WhatsApp API flaw let researchers scrape 3.5 billion accounts: Researchers compiled a list of 3.5 billion WhatsApp mobile phone numbers and associated personal information by abusing a contact-discovery API that lacked rate limiting. […]
• Cox Enterprises discloses Oracle E-Business Suite data breach: Cox Enterprises is notifying impacted individuals of a data breach that exposed their personal data to hackers who breached the company network after exploiting a zero-day flaw in Oracle E-Business Suite. […]
• Piecing Together the Puzzle: A Qilin Ransomware Investigation: Huntress analysts reconstructed a Qilin ransomware attack from a single endpoint, using limited logs to reveal rogue ScreenConnect access, failed infostealer attempts, and the ransomware execution path. The investigation shows how validating multiple data sources can uncover activity even when visibility is reduced to a “pinhole.” […]
• CISA warns Oracle Identity Manager RCE flaw is being actively exploited: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. […]
• Nvidia confirms October Windows updates cause gaming issues: Nvidia has confirmed that last month’s security updates are causing gaming performance issues on Windows 11 24H2 and Windows 11 25H2 systems. […]
• Microsoft: Out-of-band update fixes Windows 11 hotpatch install loop: Microsoft has released an out-of-band cumulative update to fix a known issue causing the November 2025 KB5068966 hotpatch update to reinstall on Windows 11 systems repeatedly. […]
• Grafana warns of max severity admin spoofing vulnerability: Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. […]
• Shocker: Elon Musk spends a lot of time on X posting bad political takes: NBC News’s David Ingram analyzed a month’s worth of Elon Musk’s X posts (our condolences). While what he was able to glean wasn’t too surprising, it was still interesting to see the numbers all laid out.
• Sony’s entire DualSense lineup is $20 off, including the limited edition models: Black Friday isn’t here quite yet, but that hasn’t stopped Sony from kicking off an excellent holiday promo, which runs through December 18th. The ongoing sale spans everything from PlayStation 5 consoles to Sony’s latest accessories…
• Spotify simplifies importing playlists from other streaming services: In August, Apple Music launched a tool for importing playlists from other streaming services. The bruhahah over Daniel Ek’s war profiteering was in full swing, and artists were starting to flee. Now Spotify is launching its own playlist transfer tool…
• The absolute best Black Friday deals we’ve found (so far): Black Friday is the most anticipated day of the year for bargain hunters. While there’s still some time to go before November 28th, we’ve already found a healthy selection of early discounts, allowing you to get a jump on your holiday shopping.
• The best AR glasses are cheaper than ever during Black Friday: The Xreal One look a bit like the glasses you get from the optician after having your pupils dilated. But they’re not as bulky or heavy as a VR headset.
• Forestrike trained me to become an incredible pixelated fighter: It took me a long time to become even halfway decent at Forestrike. The martial arts action game, from Olija developer Skeleton Crew, has a unique twist in that it lets you see what will happen in most battles and then practice your strategy accordingly.
• Carol seeks the truth (serum) in Pluribus episode 4: Last week one of my big questions about Pluribus was whether our reluctant hero Carol (Rhea Seehorn) would find someone to help her save the world from the scourge of happiness.
• ‘Jmail’ is like any other inbox, except this one has Jeffrey Epstein’s emails: The more than 20,000 pages of Jeffrey Epstein emails released earlier this month by the House Oversight Committee have been enough to prompt more investigations into the convicted child sex offender…
• Google denies ‘misleading’ reports of Gmail using your emails to train AI: Google is pushing back on viral social media posts and articles like this one by Malwarebytes, claiming Google has changed its policy to use your Gmail messages and attachments to train AI models…
• Judge wants to fix Google’s ad tech monopoly before it’s too late: Google and the Justice Department had their last chance to make their case before Judge Leonie Brinkema Friday before she decides whether Google needs to be broken up to remedy its ad tech monopoly.
• Deja Vu: Salesforce Customers Hacked Again, Via Gainsight: In a repeat of similar attacks during the summer, threat actors affiliated with the ShinyHunters extortion group used a third-party application to steal organizations’ Salesforce data.
• LINE Messaging Bugs Open Asian Users to Cyber Espionage: In a potential gift to geopolitical adversaries, the encrypted messaging app uses a leaky custom protocol that allows message replays, impersonation attacks, and sensitive information exposure from chats.
• Cloudflare’s One-Stop-Shop Convenience Takes Down Global Digital Economy: Even the most advanced systems like Cloudflare can fall victim to software issues and become a global point of failure, Dr. David Utzke argues, adding that the recent outage should be a warning for enterprises.
• Hack the Hackers: 6 Laws for Staying Ahead of the Attackers: A new security framework responds to a shift in attackers’ tactics, one that allows them to infiltrate enterprises “silently” through their own policies.
• 🏴‍☠️ Qilin has just published a new victim : Nissan Capital: N/A
• 🏴‍☠️ Worldleaks has just published a new victim : Nuclebrás Equipamentos Pesados: [AI generated] “Nuclebrás Equipamentos Pesados S.A. (NUCLEP) is a Brazilian state-owned company under the Ministry of Science, Technology, Innovation, and Communications.
• 🏴‍☠️ Dragonforce has just published a new victim : Bodega San Huberto: Bodega | San Huberto offers a welcoming environment for all, catering to both Spanish and English-speaking clients.
• 🏴‍☠️ Dragonforce has just published a new victim : Parsirang: Parsirang is a large Iranian agro-industrial company focused on egg production, but also involved in feed, olive farming, and compost fertilizer.
• 🏴‍☠️ Dragonforce has just published a new victim : Summit Construction Supply: Summit Construction Supply is a leading commercial construction product supplier based in Loveland, Colorado…
• 🏴‍☠️ Dragonforce has just published a new victim : Nugent Supply: Nugent Supply Company is a Women Business Enterprise (WBE) and a member of the Specialty Tools and Fasteners Distributors Association (STAFDA) based in Loveland, Colorado.
• 🏴‍☠️ Dragonforce has just published a new victim : Fueling Solutions Inc.: Fueling Solutions, Inc. specializes in providing commercial, industrial, and mission-critical fueling systems across over 30 countries on four continents.
• 🏴‍☠️ Dragonforce has just published a new victim : Healthcare & More: Healthcare & Moore, led by independent insurance broker Myra ‘Lynn’ Moore, specializes in a comprehensive range of insurance products including Medicare plans…
• 🏴‍☠️ Dragonforce has just published a new victim : Barr Trucking Inc.: Barr Trucking was formed in 1981 by William Mark Barr and his Father William DeWitt Barr in Pinckneyville, IL.
• 🏴‍☠️ Dragonforce has just published a new victim : F-W-S Countertops: F-W-S COUNTERTOPS specializes in the design, fabrication, and installation of premium countertops…
• 🏴‍☠️ Play has just published a new victim : Katch Kan: Canada
• 🏴‍☠️ Play has just published a new victim : Keystone Fabricating: United States
• 🏴‍☠️ Play has just published a new victim : Turkstra Trusses: Canada
• 🏴‍☠️ Rhysida has just published a new victim : St. Joseph’s Healthcare Hamilton: St. Joseph’s Healthcare Hamilton
• 🏴‍☠️ Lynx has just published a new victim : vanteceurope.com: This page is Group Mission. VANTEC, leading company of Auto Parts Logistics, provides high quality Supply Chain Solutions globally based on our over 60 years logistics expertise.
• 🏴‍☠️ Qilin has just published a new victim : Mmlk: N/A
• 🏴‍☠️ Handala has just published a new victim : 10 corpses: Today, Saturday, Handala RedWanted tears the mask off the Zionist regime’s aerospace elite. We are lifting the veil of secrecy from 10 senior operatives…
• 🏴‍☠️ Dragonforce has just published a new victim : C&M Software: C&M Software is a leading technology company specializing in solutions for the financial market.
• 🏴‍☠️ Incransom has just published a new victim : onsolve.com: OnSolve is a leading critical event management provider that proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes.
• 🏴‍☠️ Qilin has just published a new victim : Kajima Europe: N/A
• 🏴‍☠️ Pear has just published a new victim : Medical Center, LLP: Family Medicine and Primary Care Practice in Dublin, GA
• 🏴‍☠️ Qilin has just published a new victim : Interlink Trade Services: N/A
• 🏴‍☠️ Securotrop has just published a new victim : Mister Guns: Status: AWAITING Size: 290 GB
• 🏴‍☠️ Incransom has just published a new victim : Woom GmbH: woom is an international manufacturer of bikes for children and teenagers with its headquarters in Klosterneuburg, outside of Vienna.
• 🏴‍☠️ Incransom has just published a new victim : TBTEAM: OnSolve is a leading critical event management provider that proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes.
• 🏴‍☠️ Thegentlemen has just published a new victim : Sansala: www.sansala.es https://www.zoominfo.com/c/sansala/466441418 Sansala offers a variety of delicious sandwiches, salads, and desserts made from fresh, natural ingredients.
• 🏴‍☠️ Devman has just published a new victim : gsccca.org: Ransom: 500gb 400k
• 🏴‍☠️ Thegentlemen has just published a new victim : Colliers: Stock Symbol CIGI Revenue $5.2 Billion colliers.com https://www.zoominfo.com/c/colliers-international-group-inc/12042840 Colliers International Group Inc. provides commercial real estate services…
• 🏴‍☠️ Devman has just published a new victim : procure.com: Ransom: data theft 40gb 120K
• 🏴‍☠️ Medusa has just published a new victim : General Distributing: General Distributing Co is a company that operates in the Convenience Stores, Gas Stations & Liquor Stores industry.
• 🏴‍☠️ Medusa has just published a new victim : FDC Interiors: FDC / Interiors specializes in creating exceptional and luxurious spaces that reflect innovation and beauty.
• 🏴‍☠️ Medusa has just published a new victim : MFE Formwork Technology: MFE Formwork Technology is a global leader in aluminium formwork solutions, known for delivering fast, efficient, and high-quality building systems.
• 🏴‍☠️ Medusa has just published a new victim : Nationwide Legal LLC: Nationwide Legal LLC is a leading litigation support and legal services company based in Los Angeles, California…
• 🏴‍☠️ Clop has just published a new victim : HCMSPARTNERS.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : DMC-ME.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : MSG.COM: [AI generated] MSG.com is a website owned by The Madison Square Garden Company, a sports and entertainment company based in the United States.
• 🏴‍☠️ Clop has just published a new victim : INTELLINUM.COM: [AI generated] Intellinum Inc. is a technology company that specializes in providing mobile supply chain solutions.
• 🏴‍☠️ Clop has just published a new victim : KNEXTECH.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : ANYWHERE.RE: [AI generated] “ANYWHERE.RE” is a proptech solution providing a comprehensive and innovative platform that transforms the real estate industry.
• 🏴‍☠️ Clop has just published a new victim : GOLDSTARPENS.COM: [AI generated] GoldstarPens.com is a manufacturer and supplier of customizable writing instruments and promotional products.
• 🏴‍☠️ Clop has just published a new victim : NEWLINECLOUD.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : NAMA.OM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : NORTHEASTERNCORP.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : AQM.COM.SA: [AI generated] I’m sorry, but there doesn’t appear to be enough specific or verified information about the company “AQM.COM.SA” for a detailed description.
• 🏴‍☠️ Clop has just published a new victim : MACYS.COM: [AI generated] Macy’s.com is the online platform of Macy’s, Inc., one of the premier retailers in the United States.
• 🏴‍☠️ Clop has just published a new victim : HYPERTHERM.COM: [AI generated] Hypertherm is a global organization based in New Hampshire, USA. Founded in 1968, the company specializes in the design and manufacture of advanced cutting systems…
• 🏴‍☠️ Clop has just published a new victim : KOREANAIRCND.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : INTEROIL.COM.CO: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : INVENTIVE-IT.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : MAFAS.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : VIPAPPSCONSULTING.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : ZAIN.COM: [AI generated] Zain Group is a leading telecommunications company that operates across the Middle East and Africa.
• 🏴‍☠️ Clop has just published a new victim : ACRONI.SI: [AI generated] ACRONI.SI is a Slovenia-based company primarily engaged in the production of steel.
• 🏴‍☠️ Clop has just published a new victim : EIGHTEENPK.COM: [AI generated] N/A
• 🏴‍☠️ Clop has just published a new victim : IBIZSOFTINC.COM: [AI generated] IBIZSOFTINC is a multi-faceted company that specializes in developing innovative IT solutions.
• 🏴‍☠️ Clop has just published a new victim : LEGACYCLASSIC.COM: [AI generated] Legacy Classic Furniture, Inc. is a leading supplier of bedroom, dining room, casual dining, and youth furniture.
• 🏴‍☠️ Clop has just published a new victim : AOSOM.COM: [AI generated] Aosom.com is an online retailer that provides a variety of products for home, office, garden, and outdoor activities.
• 🏴‍☠️ Clop has just published a new victim : INCENTIVECONCEPTS.COM: [AI generated] Incentive Concepts is a company that provides businesses with high-quality merchandise for corporate gifting…
• 🏴‍☠️ Clop has just published a new victim : ALASEEL.COM.SA: [AI generated] N/A
• 🏴‍☠️ Akira has just published a new victim : PM Plastics, Reliable Van & Storage, Landis, Whitinger Strategic Services, Kimber Manufact…: We obtained about 29gb of the following companies: PM Plastics manufacturing of miniatures, small parts, large parts…
• 🏴‍☠️ Akira has just published a new victim : First Fruits Farms: First Fruits Farms, located in Prescott, Washington, is an agricultural company that specializes in apple and cherry orchards.