Latest Ransomware News and New File Extensions
-
Akira Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Exploiting a suspected zero-day vulnerability in SonicWall Gen 7 firewalls, specifically targeting enabled SSLVPN services for initial intrusion.
- Targets: Organizations utilizing SonicWall Gen 7 firewalls with SSLVPN enabled.
- Decryption Status: No known public decryption tool is available. SonicWall is actively investigating and has urged customers to disable the SSLVPN service.
- Source: Dark Reading / The Hacker News (URL not provided in source data)
-
Gangs Exploiting Microsoft SharePoint:
- New Encrypted File Extension: Not specified (varies by gang).
- Attack Methods: Targeting a Microsoft SharePoint vulnerability chain to breach networks.
- Targets: At least 148 organizations worldwide have been breached as part of this broader exploitation campaign.
- Decryption Status: Dependent on the specific ransomware group involved in the attack.
- Source: BleepingComputer (URL not provided in source data)
-
Play Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and publication of victims on its leak site to extort payment.
- Targets: Recently published several US-based victims, including Phoenix Lighting, Backstage Library Works, White Horse Packaging, and Terillium.
- Decryption Status: No known public decryption tool is available.
- Source: Ransomware leak site monitoring (URL not applicable)
-
Qilin Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data theft and public shaming. The group claims to have the complete data archive of a major Nordic tour operator.
- Targets: Newly listed victims include STS Alpresor (alpresor.se) and Eastern Adjustment Company, Inc.
- Decryption Status: No known public decryption tool is available.
- Source: Ransomware leak site monitoring (URL not applicable)
-
Dragonforce Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and posting victims on its leak site.
- Targets: Recently added victims from Germany and Brazil, including Wedlich (real estate), Koenig Hausverwaltung (property management), K2L (IT consulting), and Banco Guanabara (bank).
- Decryption Status: No known public decryption tool is available.
- Source: Ransomware leak site monitoring (URL not applicable)
-
Devman Ransomware:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration followed by ransom demands, with amounts noted up to $1.8 million.
- Targets: New victims listed include ruff.com.br (Brazil) and diethelmtravel.com (global travel company).
- Decryption Status: No known public decryption tool is available.
- Source: Ransomware leak site monitoring (URL not applicable)
-
Various Other Ransomware Groups:
- New Encrypted File Extension: Not specified.
- Attack Methods: Data exfiltration and extortion via “name-and-shame” leak sites.
-
Targets: A diverse range of organizations were newly listed as victims by several groups:
- Moneymessage: Targeted Bucks County Opportunity Council, INC. (US non-profit).
- Teamxxx: Targeted Scania.com (Swedish vehicle manufacturer).
- Interlock: Targeted Weisman Children’s (US pediatric hospital).
- Lynx: Targeted Frontline Bioenergy (US bioenergy company).
- Braincipher: Targeted a German entity (bw-lv.de).
- Decryption Status: No known public decryption tools are available for these groups.
- Source: Ransomware leak site monitoring (URL not applicable)
Observations and Further Recommendations
- A major trend is the exploitation of vulnerabilities in widely used, internet-facing systems. The attacks on SonicWall firewalls (by Akira) and Microsoft SharePoint servers (by multiple gangs) highlight the significant risk posed by unpatched or misconfigured edge devices and enterprise software.
- Ransomware operations continue to be highly active, with numerous groups like Play, Qilin, and Dragonforce consistently posting new victims from diverse industries and geographic locations on their leak sites, indicating a persistent “name-and-shame” extortion strategy.
- Organizations are strongly advised to prioritize vulnerability management and apply security patches for critical systems immediately. Following vendor advisories, such as SonicWall’s recommendation to disable the SSLVPN service, is crucial for mitigating active threats even before a patch is available.
News Details
- Akira Ramps Up Assault on SonicWall Firewalls, Suggesting Zero-Day: An uptick of ransomware activity by the group in late July that uses the vendor’s SSL VPN devices for initial intrusion shows evidence of an as-yet-undisclosed flaw under exploitation.
- SonicWall Investigating Potential SSL VPN Zero-Day After 20+ Targeted Attacks Reported: SonicWall said it’s actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025. “Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” the network security vendor said.
- Ransomware gangs join attacks targeting Microsoft SharePoint servers: Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
- 🏴☠️ Qilin has just published a new victim : alpresor.se: Have you traveled to the Alps? Your personal data is in this archive. The full archive of STS Alpresor company is publicly available. The largest tour operator in the Nordic region, operating in Sweden, Norway and Finland.
- Fashion giant Chanel hit in wave of Salesforce data theft attacks: French fashion giant Chanel is the latest company to suffer a data breach in an ongoing wave of Salesforce data theft attacks.