Ransomware Update – 2025-08-07

Latest Ransomware News and New File Extensions

• Akira:

  • New Encrypted File Extension: Not specified
  • Attack Methods: Abusing a legitimate Intel CPU tuning driver to disable Microsoft Defender and other security tools on targeted machines.
  • Targets: Recently listed MGM Transformer, claiming to have exfiltrated over 60GB of corporate documents, including financial, employee, and customer data.
  • Decryption Status: No known decryption tool.
  • Source: https://www.bleepingcomputer.com/news/security/akira-ransomware-abuses-cpu-tuning-tool-to-disable-microsoft-defender/

• Blacknevas:

  • New Encrypted File Extension: Not specified
  • Attack Methods: Data exfiltration and extortion, with some victims’ data being put up for auction. Claims include full infrastructure compromise and theft of databases, source code, and personal information.
  • Targets: Highly active, targeting a diverse range of global organizations, including Quality Data Service (US), Payme Ltd (UK), CLEARSYNTH LABS, CHABAA BANGKOK (Thailand), Dragonfly (South Korea), and CILI (Lithuania).
  • Decryption Status: No known decryption tool.
  • Source: Ransomware leak site post.

• Play:

  • New Encrypted File Extension: Not specified
  • Attack Methods: Data exfiltration and extortion.
  • Targets: Multiple US-based companies, including Jamco Aerospace, The Magni Group, Emprise, and Brad’s Bedding Plants.
  • Decryption Status: No known decryption tool.
  • Source: Ransomware leak site post.

• Pear:

  • New Encrypted File Extension: Not specified
  • Attack Methods: Data exfiltration and extortion.
  • Targets: Very active against small to medium-sized businesses and organizations in the US, including law firms (Garrison Law Firm), specialty contractors (Neff Specialties), home builders (Brookside Homes), and churches (Clarkston First Baptist Church).
  • Decryption Status: No known decryption tool.
  • Source: Ransomware leak site post.

• Other Active Ransomware Groups:

  • Attack Methods: Standard data theft and extortion tactics, publishing victim names and stolen data samples on their leak sites.
  • Targets: A wide array of industries worldwide have been targeted by various groups:
    • Medusa: PANSARD & ASSOCIES (French consulting firm), claiming 566 GB of data.
    • Qilin: Kengen (Kenya Electricity Generating Company) and ferrocortes (Colombian steel company).
    • Incransom: Afpa (French vocational training), claiming 5TB of data, and Michelli Weighing & Measurement (US).
    • Embargo: Heart of America Medical Center (US), claiming 800GB of data.
    • Sarcoma: Harinera del Valle (Colombian food producer).
    • Spacebears: Triveneta Vetro (Italian glass manufacturer).
  • Decryption Status: No known decryption tools for these groups.
  • Source: Ransomware leak site posts.

Observations and Further Recommendations

• Ransomware groups continue to target a vast and diverse range of sectors globally, from critical infrastructure and large corporations to small businesses, non-profits, and public services.
• A notable trend is the use of more sophisticated evasion techniques. The Akira group’s abuse of a legitimate Intel driver to disable Microsoft Defender highlights the need for advanced endpoint detection and response (EDR) solutions that can identify anomalous behavior from trusted processes.
• The high volume of victims posted by groups like Blacknevas and Pear indicates that widespread, automated, or highly efficient campaigns are ongoing, likely exploiting common vulnerabilities or using broad phishing tactics.
• The news about active exploitation of patched flaws in Trend Micro and SonicWall products serves as a critical reminder for organizations to prioritize timely patching and vulnerability management to close entry points for attackers.

News Details

• Microsoft Discloses Exchange Server Flaw Enabling Silent Cloud Access in Hybrid Setups: Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions. The vulnerability, tracked as CVE-2025-53786, carries a CVSS score of 8.0.
• The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense: Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden: Secure AI embedded in every part of the business, Use AI to defend faster and smarter, and Fight AI-powered threats that execute in minutes—or seconds.
• SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day: SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. “We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” the company said.
• Webinar: How to Stop Python Supply Chain Attacks—and the Expert Tools You Need: Python is everywhere in modern software. From machine learning models to production microservices, chances are your code—and your business—depends on Python packages you didn’t write. But in 2025, that trust comes with a serious risk.
• Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft: Cybersecurity researchers have demonstrated an “end-to-end privilege escalation chain” in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.
• Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud, Subscription Scams: The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google’s official app storefronts under the guise of seemingly useful applications.
• AI Slashes Workloads for vCISOs by 68% as SMBs Demand More – New Report Reveals: As the volume and sophistication of cyber threats and risks grow, cybersecurity has become mission-critical for businesses of all sizes. To address this shift, SMBs have been urgently turning to vCISO services to keep up with escalating threats and compliance demands.
• Microsoft Launches Project Ire to Autonomously Classify Malware Using AI Tools: Microsoft on Tuesday announced an autonomous artificial intelligence (AI) agent that can analyze and classify software without assistance in an effort to advance malware detection efforts. The large language model (LLM)-powered autonomous malware classification system, currently a prototype, has been codenamed Project Ire.
• Trend Micro Confirms Active Exploitation of Critical Apex One Flaws in On-Premise Systems: Trend Micro has released mitigations to address critical security flaws in on-premise versions of Apex One Management Console that it said have been exploited in the wild. The vulnerabilities (CVE-2025-54948 and CVE-2025-54987), both rated 9.4 on the CVSS scoring system, have been described as management console command injection and remote code execution flaws.
• CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures: The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country.
• AI Is Transforming Cybersecurity Adversarial Testing – Pentera Founder’s Vision: In 2015 I founded a cybersecurity testing software company with the belief that automated penetration testing was not only possible, but necessary. At the time, the idea was often met with skepticism, but today, with 1200+ of enterprise customers and thousands of users, that vision has proven itself.
• CISA Adds 3 D-Link Vulnerabilities to KEV Catalog Amid Active Exploitation Evidence: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link Wi-Fi cameras and video recorders to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.
• Cryptomixer founders pled guilty to laundering money for cybercriminals: The founders of the Samourai Wallet (Samourai) cryptocurrency mixer have pleaded guilty to laundering over $200 million for criminals.
• Massive IPTV piracy service with 28,000 channels taken offline: The Alliance for Creativity and Entertainment (ACE) announced the shutdown of Rare Breed TV, a major illegal IPTV service provider, after reaching a financial settlement with its operators.
• Air France and KLM disclose data breaches impacting customers: Air France and KLM announced on Wednesday that attackers had breached a customer service platform and stolen the data of an undisclosed number of customers.
• Microsoft warns of high-severity flaw in hybrid Exchange deployments: Microsoft has warned customers to mitigate a high-severity vulnerability in Exchange Server hybrid deployments that could allow attackers to escalate privileges in Exchange Online cloud environments undetected.
• Microsoft accidentally confirms GPT-5, GPT-5-Mini, GPT-5-Nano ahead of launch: OpenAI is hosting a live stream at 10AM PT to announce GPT-5, but Microsoft has already confirmed the details.
• Akira ransomware abuses CPU tuning tool to disable Microsoft Defender: Akira ransomware is abusing a legitimate Intel CPU tuning driver to turn off Microsoft Defender in attacks from security tools and EDRs running on target machines.
• New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations: A new post-exploitation command-and-control (C2) evasion method called ‘Ghost Calls’ abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure.
• Hacker extradited to US for stealing $3.3 million from taxpayers: Nigerian national Chukwuemeka Victor Amachukwu has been extradited from France to the U.S. to face charges of hacking, fraud, and identity theft for suspected spearphishing attacks on U.S. tax preparation businesses.
• MFA matters… But it isn’t enough on its own: MFA blocks 99% of attacks—but weak passwords still let attackers in. Specops helps you enforce strong password policies and MFA everywhere, so one layer doesn’t undo the other.
• Google suffers data breach in ongoing Salesforce data theft attacks: Google is the latest company to suffer a data breach in an ongoing wave of Salesforce CRM data theft attacks conducted by the ShinyHunters extortion group.
• National Bank of Canada online systems down due to ‘technical issue’: National Bank of Canada (Banque Nationale du Canada), the sixth largest commercial bank of Canada is currently experiencing a widespread service outage affecting its online banking and mobile app platforms.
• ReVault flaws let hackers bypass Windows login on Dell laptops: ControlVault3 firmware vulnerabilities impacting over 100 Dell laptop models can allow attackers to bypass Windows login and install malware that persists across system reinstalls.
• Meta illegally collected Flo users’ menstrual data, jury rules: A California jury has found that Meta illegally collected user health data from the Flo period-tracking app, violating the state’s wiretap law. The verdict concludes a lawsuit filed against Flo, Google, Meta, and app analytics company Flurry in 2021.
• The lawyer who beat Tesla is ready for ‘round two’: The day after he won an unprecedented $243 million verdict in a wrongful death case against Tesla, attorney Brett Schreiber posted a reel on Instagram celebrating the victory.
• Apple’s mysterious chip tech will help Samsung make iPhone image sensors in Texas: Apple is teaming up with Samsung to produce digital image sensors for future iPhone models, according to The Financial Times. This is tied to Apple’s Wednesday announcement that it is working with Samsung’s semiconductor facility in Austin, Texas.
• OpenAI’s new GPT-5 models announced early by GitHub: GitHub has accidentally announced OpenAI’s new range of GPT-5 models. A now-deleted GitHub blog post reveals that GPT-5, which will be available in four different versions, offers “major improvements in reasoning, code quality, and user experience.”
• The best earbuds we’ve tested for 2025: It’s hard to buy a bad pair of wireless earbuds these days, and with constant discounts and deals wherever you look, now is as good a time as any to splurge on the pair you’ve been eyeing.
• Sonos confirms tariffs will increase its prices this year: Tom Conrad took over as CEO of Sonos in January as it continues to recover from last year’s disastrous mobile app update, and now the company has issued its first quarterly earnings report after he dropped the interim tag from his title.
• The best budget robot vacuums: Today’s robot vacuums are becoming a bit like cars: with all the features, upgrades, and fancy trimmings available these days, it’s easy to forget that they can just be simple machines that get us from point A to point B.
• Trump threatens 100 percent tariff on computer chips with a gigantic loophole: In the very first week of his presidency, Donald Trump vowed to force silicon manufacturing back to the United States by making processors more expensive, a threat he’s repeated since.
• Apple made a 24k gold and glass statue for Donald Trump: At a White House press conference to discuss Apple’s new US manufacturing plans, CEO Tim Cook presented a gift to President Donald Trump: a “unique” piece of glass from iPhone glass manufacturer Corning that’s set in a 24-karat gold base.
• Google would like you to study with Gemini instead of cheat with it: Google’s Gemini AI now has a “guided learning” mode that tries to help you actually understand the problems you’re trying to learn about instead of just giving you the answer.
• CISA Issues Alert on Vulnerability affecting Microsoft Exchange: [No content provided]
• Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults: Secrets managers hold all the keys to an enterprise’s kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.
• ‘ReVault’ Security Flaws Impact Millions of Dell Laptops: The now-patched vulnerabilities exist at the firmware level and enable deep persistence on compromised systems.
• VexTrio Cybercrime Outfit Run by Legit Ad Tech Firms: New research reveals that a malicious traffic distribution system (TDS) is run not by “hackers in hoodies,” but by a series of corporations operating in the commercial digital advertising industry.
• Google Gemini AI Bot Hijacks Smart Homes, Turns Off the Lights: Using invisible prompts, the attacks demonstrate a physical risk that could soon become reality as the world increasingly becomes more interconnected with artificial intelligence.
• Attackers Exploit Critical Trend Micro Apex One Zero-Day Flaw: Two critical vulnerabilities affect the security vendor’s management console, one of which is under active exploitation. The company has updated cloud-based products but won’t have a patch for its on-premises version until mid-August.
• Pandora Confirms Third-Party Data Breach, Warns of Phishing Attempts: The jewelry retailer is warning customers that their data can and might be used maliciously.
• RCE Flaw in AI-Assisted Coding Tool Poses Software Supply Chain Risk: A critical vulnerability in the trust model of Cursor, a fast-growing tool for LLM-assisted development, allows for silent and persistent remote code execution.
• Cisco User Data Stolen in Vishing Attack: The networking giant said this week that an employee suffered a voice phishing attack that resulted in the compromise of select user data, including email addresses and phone numbers.
• 🏴‍☠️ Spacebears has just published a new victim : Triveneta Vetro: TRIVENETA VETRO always keeps an attentive eye on customer’s requests. We also supply accessories and our range of articles is always up-dated in order to comply with your needs.
• 🏴‍☠️ Medusa has just published a new victim : PANSARD & ASSOCIES: PANSARD & ASSOCIES has developed three complementary activities to assist companies in their day-to-day operations and facilitate strategic planning relating to enterprise and asset growth and maximization.
• 🏴‍☠️ Play has just published a new victim : Jamco Aerospace: United States
• 🏴‍☠️ Qilin has just published a new victim : Kengen: Kenya Electricity Generating Company abbreviated to KenGen, is a government enterprise in the Republic of Kenya charged with the production of electricity for the country and around East Africa.
• 🏴‍☠️ Blacknevas has just published a new victim : Payme Ltd: Payme Ltd is a CIS payroll and contracting company with FCSA and professional passport accreditation for agencies and contractors. loading the entire company infrastructure, 1030 gigabytes of passport data and financial reports.
• 🏴‍☠️ Incransom has just published a new victim : Afpa: The Afpa Group. Since 1949, Afpa has been the leading organization for vocational training leading to qualifications. Its primary mission is to provide training for employment. They became a victim of the data breach. 5TB sensitive and personal data will be published soon in our blog.
• 🏴‍☠️ Everest has just published a new victim : BRUNTON-SHAW.COM: [AI generated] Brunton Shaw is a company based in the UK that specializes in the manufacture of wire and rope solutions.
• 🏴‍☠️ Embargo has just published a new victim : Heart of America Medical Centr (HAMC): About Heart of America Medical Center. A non-profit hospital offering comprehensive medical services, including emergency care, radiology/imaging, surgical cen… – I have your Data 800GB.
• 🏴‍☠️ Dragonforce has just published a new victim : Diversified Project Services International: Diversified Project Services International, Inc. (DPSI) is a leader in engineering, geomatics (surveying), planning, permitting, inspection, energy management and construction management.
• 🏴‍☠️ Pear has just published a new victim : Neff Specialties: Neff Specialties is a specialty sub-contractor that caters to the education, industrial, and commercial sectors across Pennsylvania, West Virginia, and Northern Maryland.
• 🏴‍☠️ Safepay has just published a new victim : ridgefield.org: [AI generated] “Ridgefield.org” represents Ridgefield public schools in Ridgefield, Connecticut. It is a holistic platform providing comprehensive information about the school district.
• 🏴‍☠️ Lynx has just published a new victim : cibraco: Cibraco Imóveis, referência no mercado imobiliário de Curitiba e Regão Metropolitana.
• 🏴‍☠️ Direwolf has just published a new victim : HCK Capital Group: [AI generated] HCK Capital Group is a Malaysian investment holding company, primarily operating in the fields of property development, education, and media.
• 🏴‍☠️ Securotrop has just published a new victim : Budinger & Associates: [AI generated] Budinger & Associates is a consulting engineering company that specializes in geotechnical engineering, construction monitoring, environmental consultations, and mining and materials services.
• 🏴‍☠️ Nitrogen has just published a new victim : F&P Georgia Mfg Inc: Tier-1 supplier of suspension components to the automotive industry.
• 🏴‍☠️ Sarcoma has just published a new victim : Harinera del Valle: Harinera del Valle (HV) is a prominent Colombian company with over 60 years of experience in producing and commercializing processed foods. Geo: Colombia – Leak size: 59 GB Archive – Contains: Files,SQL.
• 🏴‍☠️ Akira has just published a new victim : MGM Transformer: MGM Transformers specializes in manufacturing a wide range of transformers… We are ready to upload more than 60GB files of essential corporate documents.