Ransomware Update – 2025-07-30

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Chaos RaaS (formerly BlackSuit):

    • New Encrypted File Extension: Not specified
    • Attack Methods: Big-game hunting and double extortion attacks. The group is believed to consist of former members of the BlackSuit crew, whose infrastructure was seized by law enforcement.
    • Targets: U.S.-based companies, with ransom demands around $300,000. The FBI has seized approximately $2.4 million in Bitcoin from a member linked to attacks in Texas.
    • Decryption Status: No decryptor available. Law enforcement action has disrupted the group and its predecessor.
    • Source: [Source URL not provided]

  • Incransom:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data breach and extortion. The group claims to have stolen 1.2TB of data from Dollar Tree and 100Gb from the Family Service League.
    • Targets: Major retail chains (Dollar Tree) and social service organizations (Family Service League).
    • Decryption Status: No known decryptor. The group threatens to publish the stolen data.
    • Source: [Source URL not provided]

  • Akira:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Data theft and extortion, threatening to leak sensitive corporate documents, financial records, and personal employee/customer data.
    • Targets: Diverse industries including retail/beauty (Druni), agriculture/real estate (Hertz Farm Management), and property management.
    • Decryption Status: No known decryptor.
    • Source: [Source URL not provided]

  • Gunra:

    • New Encrypted File Extension: Not specified
    • Attack Methods: Evolved from a Windows-only threat to a cross-platform ransomware with a new Linux variant, utilizing sophisticated, multithreaded encryption.
    • Targets: Windows and Linux systems.
    • Decryption Status: No known decryptor.
    • Source: [Source URL not provided]

  • FunkSec:

    • New Encrypted File Extension: Not specified
    • Attack Methods: The ransomware emerged in late 2024 and claimed 172 victims before going dormant.
    • Targets: General users and organizations.
    • Decryption Status: A free public decryptor has been released by researchers at Gen Digital, as the ransomware is now considered defunct.
    • Source: [Source URL not provided]

  • Other Active Ransomware Gangs (Blackbyte, Beast, Qilin, etc.):

    • New Encrypted File Extension: Not specified
    • Attack Methods: Standard data theft and double extortion tactics, posting victim data on dedicated leak sites.
    • Targets: A wide array of sectors including manufacturing, real estate, healthcare, legal, public entities (cities, school districts), and technology services.
    • Decryption Status: No known decryptors for these active groups.
    • Source: [Source URL not provided]

Observations and Further Recommendations

  • The ransomware threat is continuous and widespread, impacting a diverse range of sectors from major retail and finance to critical public services like city governments (St. Paul, MN) and school districts.
  • The cybercrime ecosystem demonstrates resilience; when one group like BlackSuit is taken down, its members often regroup to form new entities like Chaos RaaS, continuing their operations.
  • Double extortion (data encryption combined with data theft) remains the dominant strategy for ransomware gangs, maximizing pressure on victims to pay.
  • Threat actors are actively expanding their technical capabilities, as seen with Gunra ransomware developing a Linux variant to broaden its target base.
  • Law enforcement actions are achieving some success, such as the seizure of BlackSuit’s infrastructure and the confiscation of ransom payments from Chaos members. Additionally, the security community provides relief when possible, such as releasing a free decryptor for the defunct FunkSec ransomware.

News Details

  • FunkSec Ransomware Decryptor Released Free to Public After Group Goes Dormant: Cybersecurity experts have released a decryptor for a ransomware strain called FunkSec, allowing victims to recover access to their files for free. “Because the ransomware is now considered dead, we released the decryptor for public download,” Gen Digital researcher Ladislav Zezula said.
  • Product Walkthrough: A Look Inside Pillar’s AI Security Platform: In this article, we will provide a brief overview of Pillar Security’s platform to better understand how they are tackling AI security challenges. Pillar Security is building a platform to cover the entire software development and deployment lifecycle with the goal of providing trust in AI systems.
  • Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome: Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month.
  • Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits: Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices.
  • Chinese Firms Linked to Silk Typhoon Filed 15+ Patents for Cyber Espionage Tools: Chinese companies linked to the state-sponsored hacking group known as Silk Typhoon (aka Hafnium) have been identified as behind over a dozen technology patents, shedding light on the shadowy cyber contracting ecosystem and its offensive capabilities.
  • Google Launches DBSC Open Beta in Chrome and Enhances Patch Transparency via Project Zero: Google has announced that it’s making a security feature called Device Bound Session Credentials (DBSC) in open beta to ensure that users are safeguarded against session cookie theft attacks.
  • Hackers Exploit SAP Vulnerability to Breach Linux Systems and Deploy Auto-Color Malware: Threat actors have been observed exploiting a now-patched critical SAP NetWeaver flaw to deliver the Auto-Color backdoor in an attack targeting a U.S.-based chemicals company in April 2025.
  • Scattered Spider Hacker Arrests Halt Attacks, But Copycat Threats Sustain Security Pressure: Google Cloud’s Mandiant Consulting has revealed that it has witnessed a drop in activity from the notorious Scattered Spider group, but emphasized the need for organizations to take advantage of the lull to shore up their defenses.
  • Wiz Uncovers Critical Access Bypass Flaw in AI-Powered Vibe Coding Platform Base44: Cybersecurity researchers have disclosed a now-patched critical security flaw in a popular vibe coding platform called Base44 that could allow unauthorized access to private applications built by its users.
  • PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain: The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack that’s targeting users in an attempt to redirect them to fake PyPI sites.
  • Chaos RaaS Emerges After BlackSuit Takedown, Demanding $300K from U.S. Victims: A newly emerged ransomware-as-a-service (RaaS) gang called Chaos is likely made up of former members of the BlackSuit crew, as the latter’s dark web infrastructure has been the subject of a law enforcement seizure.
  • How the Browser Became the Main Cyber Battleground: Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent: Compromise an endpoint via software exploit, or social engineering a user to run malware on their device.
  • Cybercriminals Use Fake Apps to Steal Data and Blackmail Users Across Asia’s Mobile Networks: Cybersecurity researchers have discovered a new, large-scale mobile malware campaign that’s targeting Android and iOS platforms with fake dating, social networking, cloud storage, and car service apps to steal sensitive personal data.
  • Why React Didn’t Kill XSS: The New JavaScript Injection Playbook: React conquered XSS? Think again. That’s the reality facing JavaScript developers in 2025, where attackers have quietly evolved their injection techniques to exploit everything from prototype pollution to AI-generated code, bypassing the very frameworks designed to keep applications secure.
  • CISA Adds PaperCut NG/MF CSRF Vulnerability to KEV Catalog Amid Active Exploitation: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security vulnerability impacting PaperCutNG/MF print management software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
  • Hackers Breach Toptal GitHub, Publish 10 Malicious npm Packages With 5,000 Downloads: In what’s the latest instance of a software supply chain attack, unknown threat actors managed to compromise Toptal’s GitHub organization account and leveraged that access to publish 10 malicious packages to the npm registry.
  • Apple patches security flaw exploited in Chrome zero-day attacks: Apple has released security updates to address a high-severity vulnerability that has been exploited in zero-day attacks targeting Google Chrome users.
  • New Lenovo UEFI firmware updates fix Secure Boot bypass flaws: Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface).
  • Minnesota activates National Guard after St. Paul cyberattack: Minnesota Governor Tim Walz has activated the National Guard in response to a crippling cyberattack that struck the City of Saint Paul, the state’s capital, on Friday.
  • Russian airline Aeroflot grounds dozens of flights after cyberattack: Aeroflot, Russia’s flag carrier, has suffered a cyberattack that resulted in the cancellation of more than 60 flights and severe delays on additional flights.
  • Hackers exploit SAP NetWeaver bug to deploy Linux Auto-Color malware: Hackers were spotted exploiting a critical SAP NetWeaver vulnerability tracked as CVE-2025-31324 to deploy the Auto-Color Linux malware in a cyberattack on a U.S.-based chemicals company.
  • French telecom giant Orange discloses cyberattack: Orange, a French telecommunications company and one of the world’s largest telecom operators, revealed that it detected a breached system on its network on Friday.
  • FBI seizes $2.4M in Bitcoin from new Chaos ransomware operation: FBI Dallas has seized almost 23 Bitcoins from a cryptocurrency address belonging to a Chaos ransomware member that is linked to cyberattacks and extortion payments from Texas companies.
  • Nimble ‘Gunra’ Ransomware Evolves With Linux Variant: The emerging cybercriminal gang, which initially targeted Microsoft Windows systems, is looking to go cross-platform using sophisticated, multithread encryption.
  • Chaos Ransomware Rises as BlackSuit Gang Falls: Researchers detailed a newer double-extortion ransomware group made up of former members of BlackSuit, which was recently disrupted by international law enforcement.
  • Insurance Giant Allianz Life Grapples With Breach Affecting ‘Majority’ of Customers: The company has yet to report an exact number of how many individuals were impacted by the breach and plans to start the notification process around Aug. 1.
  • 🏴‍☠️ Incransom has just published a new victim : Dollar Tree: Dollar Tree, a Fortune 200 Company, operated 16,774 stores across 48 states and five Canadian provinces as of February 3, 2024. They became a victim of the data breach. 1,2TB sensitive and personal data will be published soon in our blog.
  • 🏴‍☠️ Akira has just published a new victim : Druni: DRUNI offers a wide range of online beauty products including perfumes, makeup, and cosmetics at competitive prices. We are ready to upload over 40 GB of corporate documents.
  • 🏴‍☠️ Rhysida has just published a new victim : First Baptist Church of Hammond: First Baptist Church of Hammond Established in 1887, The First Baptist Church was listed as 2009’s 12th largest church in America in Outreach magazine.