Ransomware Update – 2025-08-03

[Content by Gemini 2.5]

Cybersecurity Threat Overview

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Exploiting SonicWall SSL VPN devices to gain initial access, with evidence suggesting the use of a zero-day vulnerability against even fully-patched systems.
    • Targets: Organizations utilizing SonicWall SSL VPN infrastructure.
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices” & “SonicWall firewall devices hit in surge of Akira ransomware attacks”

  • ‘Plague’ PAM Backdoor:

    • New Encrypted File Extension: N/A (This is a backdoor, not ransomware).
    • Attack Methods: A malicious and previously undocumented Pluggable Authentication Module (PAM) for Linux that allows attackers to bypass system authentication and maintain persistent SSH access for silent credential theft.
    • Targets: Critical Linux systems.
    • Decryption Status: N/A (Backdoor malware).
    • Source: “New ‘Plague’ PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft”

  • CL-STA-0969 Espionage Campaign:

    • New Encrypted File Extension: N/A (This is espionage malware, not ransomware).
    • Attack Methods: A state-sponsored, 10-month espionage campaign installing covert malware to establish remote control over compromised networks.
    • Targets: Telecommunications organizations and critical infrastructure in Southeast Asia.
    • Decryption Status: N/A (Espionage malware).
    • Source: “CL-STA-0969 Installs Covert Malware in Telecom Networks During 10-Month Espionage Campaign”

  • Medusa Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion (implied from data leak announcement).
    • Targets: Franklin Pierce Schools (USA) and White Coffee Corporation (USA).
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “🏴‍☠️ Medusa has just published a new victim : Franklin Pierce Schools” & “🏴‍☠️ Medusa has just published a new victim : White Coffee Corporation”

  • Rhysida Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Cookeville Regional Medical Center (USA).
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “🏴‍☠️ Rhysida has just published a new victim : Cookeville Regional Medical Center”

  • Dragonforce Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, specifically targeting financial, banking, and client documentation.
    • Targets: Clemens Construction (USA) and Pitman Farms.
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “🏴‍☠️ Dragonforce has just published a new victim : Clemens Construction” & “🏴‍☠️ Dragonforce has just published a new victim : Pitman Farms”

  • Lynx Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: GID GmbH (IT, Germany), PEFCO (Finance, USA), and Lincoln Law (Legal, USA).
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “🏴‍☠️ Lynx has just published a new victim : gid-it.de”, “🏴‍☠️ Lynx has just published a new victim : www.pefco.com”, & “🏴‍☠️ Lynx has just published a new victim : Lincoln Law”

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Cadex Electronics (Manufacturing), Envac Iberia SA (Environmental, Spain), and Fort Smith Public Schools (Education, USA).
    • Decryption Status: No decryption tool or status mentioned.
    • Source: “🏴‍☠️ Qilin has just published a new victim : cadex.com”, “🏴‍☠️ Qilin has just published a new victim : envac.es”, & “🏴‍☠️ Qilin has just published a new victim : fortsmithschools.org”

  • Other Victim Announcements:

    • Imncrew has claimed an attack on One Gold Srl (Manufacturing/Jewelry, Italy).
    • Safepay has claimed an attack on Chamberlain Huckeriede Funeral Home (USA).

Observations and Further Recommendations

  • A significant trend is the exploitation of network edge devices, with the Akira ransomware group actively targeting SonicWall SSL VPNs, possibly using a zero-day vulnerability.
  • Ransomware attacks remain widespread and indiscriminate, affecting a diverse range of sectors including education (Franklin Pierce Schools, Fort Smith Schools), healthcare (Cookeville Regional Medical Center), finance (PEFCO), and critical infrastructure (Telecommunications).
  • The discovery of the ‘Plague’ backdoor highlights the increasing threat to Linux systems, moving beyond traditional Windows-focused malware and employing sophisticated methods like malicious PAMs to achieve persistence.
  • It is crucial for organizations to prioritize timely patching of all internet-facing systems, especially VPNs and firewalls. Implementing multi-factor authentication (MFA) and continuous network monitoring are essential to detect and prevent such intrusions.

News Details

  • CL-STA-0969 Installs Covert Malware in Telecom Networks During 10-Month Espionage Campaign: Telecommunications organizations in Southeast Asia have been targeted by a state-sponsored threat actor known as CL-STA-0969 to facilitate remote control over compromised networks. Palo Alto Networks Unit 42 said it observed multiple incidents in the region, including one aimed at critical telecommunications infrastructure between February and November 2024.
  • New ‘Plague’ PAM Backdoor Exposes Critical Linux Systems to Silent Credential Theft: Cybersecurity researchers have flagged a previously undocumented Linux backdoor dubbed Plague that has managed to evade detection for a year. “The implant is built as a malicious PAM (Pluggable Authentication Module), enabling attackers to silently bypass system authentication and gain persistent SSH access,” Nextron Systems researcher Pierre-Henri Pezier said.
  • Akira Ransomware Exploits SonicWall VPNs in Likely Zero-Day Attack on Fully-Patched Devices: SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. “In the intrusions reviewed, multiple pre-ransomware intrusions were observed within a short period of time, each involving VPN access through SonicWall SSL VPNs,” Arctic Wolf Labs researcher Julian Tuin said in a report.
  • SonicWall firewall devices hit in surge of Akira ransomware attacks: SonicWall firewall devices have been increasingly targeted since late July in a surge of Akira ransomware attacks, potentially exploiting a previously unknown security vulnerability, according to cybersecurity company Arctic Wolf.
  • 🏴‍☠️ Lynx has just published a new victim : gid-it.de: GID GmbH is a system house operating throughout Germany based in Cologne. As a system integrator, GID advises and offers solutions in the areas of infrastructure, HCI, storage, backup, e-mail/file management, deduplication, server and virtualization.
  • 🏴‍☠️ Imncrew has just published a new victim : Onegolditalia.it: One Gold Srl was founded in 2000 from twenty years of experience in the gold and silver sector. The company, specialized in the processing of precious and non-precious metals, produces accessories on commission for the customer metals and costume jewellery for the luxury sector.
  • 🏴‍☠️ Dragonforce has just published a new victim : Clemens Construction: (Banking, insurance, financial, and HR documentation. Audit. Client documentation.) Clemens Construction is a reputable construction firm based in Philadelphia, specializing in renovation and construction projects for the hospitality and commercial sectors.
  • 🏴‍☠️ Dragonforce has just published a new victim : Pitman Farms: (Financial, banking, and audit documentation. Suppliers, clients, mail correspondence, and many more interesting things about how to significantly increase profits while store shelves are empty due to the H5N1 virus.) Pitman Farms has been distributing fine poultry meats since 1954.
  • 🏴‍☠️ Lynx has just published a new victim : www.pefco.com: PEFCO facilitates the financing of U.S. exports by supplementing what is available from commercial banks and other lenders. The company offers a variety of export finance programs, acting as both a direct lender and a secondary market buyer of export loans.
  • 🏴‍☠️ Rhysida has just published a new victim : Cookeville Regional Medical Center: Cookeville Regional Medical Center At Cookeville Regional Medical Center, we are dedicated to providing the highest quality care to our patients and making a positive impact on our community.
  • 🏴‍☠️ Medusa has just published a new victim : Franklin Pierce Schools: Franklin Pierce Schools is a school district located in Tacoma, Washington. It is made up of 15 schools, which include nine elementary schools, two middle schools & four high schools.
  • 🏴‍☠️ Medusa has just published a new victim : White Coffee Corporation: White Coffee Corporation is a family-owned business with over 85 years of experience, specializing in coffee roasting and co-packing services for beverage brands, hospitality providers, and entrepreneurs.
  • 🏴‍☠️ Lynx has just published a new victim : Lincoln Law: Established in 2001 and headquartered in Orem, Utah, Lincoln Law is a law firm that focuses on the interests of consumer bankruptcy.
  • 🏴‍☠️ Safepay has just published a new victim : chamberlainhuckeriede.com: Chamberlain Huckeriede Funeral Home is a family-owned and operated business based in Lima, Ohio. They’ve been serving the community for over 100 years, offering a range of services including traditional funerals, cremations, and pre-planned funerals.
  • 🏴‍☠️ Qilin has just published a new victim : cadex.com: Cadex Electronics specializes in the design and manufacturing of diagnostic chargers, battery analyzers, and rapid testers aimed at optimizing battery performance and longevity.
  • 🏴‍☠️ Qilin has just published a new victim : envac.es: Envac Iberia SA is a company that operates in the Waste Treatment, Environmental Services & Recycling industry. It employs 20to49 people and has 5Mto10M of revenue.
  • 🏴‍☠️ Qilin has just published a new victim : fortsmithschools.org: The Fort Smith Public School district is a destination district built on relationships, collaboration, and a culture of excellence. With over 2,000 employees, FSPS is one of the largest employers in Fort Smith, Arkansas.