Ransomware Update – 2025-08-08

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Royal and BlackSuit Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Breaching corporate networks. Their infrastructure was reportedly dismantled, but not before significant damage.
    • Targets: Over 450 U.S. companies across various sectors.
    • Decryption Status: No known public decryption tool.
    • Source: Royal and BlackSuit ransomware gangs hit over 450 US companies

  • Multiple Ransomware Groups (EDR Evasion):

    • New Encrypted File Extension: Varies by group.
    • Attack Methods: Use of a new Endpoint Detection and Response (EDR) killer tool, an evolution of ‘EDRKillShifter’, to disable security software during attacks.
    • Targets: Broad, used by at least eight different ransomware gangs including RansomHub.
    • Decryption Status: Varies by group; generally, no public tools are available.
    • Source: New EDR killer tool used by eight different ransomware groups

  • Akira Ransomware (via SonicWall Flaw):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploiting an older, patched vulnerability (CVE-2024-40766) in SonicWall Gen 7 firewalls with SSL VPN enabled, combined with password reuse.
    • Targets: Organizations using vulnerable SonicWall devices.
    • Decryption Status: No known public decryption tool.
    • Source: SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a leak site.
    • Targets: Numerous international organizations including Shinko Plastics, Belmont Christian College (Australia), Ryeco, Lawrence Paper, EyeQ Monitoring, Avosina Healthcare, Camdon Construction, Lodi Police Department, Sota Construction, AzureWave Technologies, and KenGen (Kenya).
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware Leak Site Announcements

  • Blacknevas Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, offering stolen data for sale or auction. Claimed to have exfiltrated 300 GB from Quality Data Service, Inc. and is auctioning the data.
    • Targets: Diverse victims including Payme Ltd, LEARN (Regional Educational Service Center), Clearsynth Labs, Promosfera, Cosaen Grup, Kinas Solicitors, Quality Data Service, Inc. (and its 200+ Connecticut municipality clients), Dragonfly Game, and Chabaa Bangkok.
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware Leak Site Announcements

Observations and Further Recommendations

  • A significant number of ransomware and data extortion groups (Qilin, Blacknevas, Medusa, Play, etc.) are actively targeting a wide array of global entities across manufacturing, education, finance, healthcare, and government sectors.
  • Threat actors continue to evolve their tactics, demonstrated by the adoption of a new “EDR killer” tool by at least eight distinct ransomware gangs to bypass modern security defenses.
  • The exploitation of older, patched vulnerabilities remains a highly effective attack vector. The Akira ransomware attacks on SonicWall devices (CVE-2024-40766) highlight that failures in patch management and credential hygiene (password reuse) are critical security gaps.
  • Initial access methods are varied, with notable threats coming from malicious software packages in open-source repositories (PyPI, RubyGems), highlighting supply chain risks.
  • General recommendations include prioritizing timely patching of all software and hardware, enforcing multi-factor authentication (MFA), maintaining robust EDR solutions, and implementing strict vetting processes for third-party code libraries.

News Details

  • Leaked Credentials Up 160%: What Attackers Are Doing With Them: When an organization’s credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password.
  • RubyGems, PyPI Hit by Malicious Packages Stealing Credentials, Crypto, Forcing Security Changes: A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users.
  • GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions: A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets.
  • SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others: The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content.
  • Webinar: How to Stop Python Supply Chain Attacks—and the Expert Tools You Need: Python is everywhere in modern software. From machine learning models to production microservices, chances are your code—and your business—depends on Python packages you didn’t write.
  • Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes: Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems.
  • The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense: Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield.
  • Microsoft Discloses Exchange Server Flaw Enabling Silent Cloud Access in Hybrid Setups: Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions.
  • 6,500 Axis Servers Expose Remoting Protocol; 4,000 in U.S. Vulnerable to Exploits: Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks.
  • SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day: SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse.
  • Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft: Cybersecurity researchers have demonstrated an “end-to-end privilege escalation chain” in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment.
  • Fake VPN and Spam Blocker Apps Tied to VexTrio Used in Ad Fraud, Subscription Scams: The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google’s official app storefronts under the guise of seemingly useful applications.
  • Microsoft 365 apps to soon block file access via FPRPC by default: Microsoft has announced that the Microsoft 365 apps for Windows will start blocking access to files via the insecure FPRPC legacy authentication protocol by default starting late August.
  • Microsoft will kill the Lens PDF scanner app for iOS, Android: Microsoft announced that it will phase out the Microsoft Lens PDF scanner app for Android and iOS devices starting September 15, 2025.
  • Columbia University data breach impacts nearly 870,000 individuals: ​An unknown threat actor has stolen the sensitive personal, financial, and health information of nearly 870,000 Columbia University current and former students and employees after breaching the university’s network in May.
  • Royal and BlackSuit ransomware gangs hit over 450 US companies: The U.S. Department of Homeland Security (DHS) says the cybercrime gang behind the Royal and BlackSuit ransomware operations had breached hundreds of U.S. companies before their infrastructure was dismantled last month.
  • Fake WhatsApp developer libraries hide destructive data-wiping code: Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer’s computers.
  • CISA orders fed agencies to patch new Exchange flaw by Monday: CISA has issued an emergency directive ordering all Federal Civilian Executive Branch (FCEB) agencies to mitigate a critical Microsoft Exchange hybrid vulnerability tracked as CVE-2025-53786 by Monday morning at 9:00 AM ET.
  • ChatGPT’s GPT-5 models released: everything you need to know: After a long wait, GPT-5 is finally rolling out. It’s available for free, Plus, Pro and Team users today.
  • New EDR killer tool used by eight different ransomware groups: A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
  • Bouygues Telecom confirms data breach impacting 6.4 million customers: Bouygues Telecom warns it suffered a data breach after the personal information of 6.4 million customers was exposed in a cyberattack.
  • SonicWall finds no SSLVPN zero-day, links ransomware attacks to 2024 flaw: SonicWall says that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN enabled are exploiting an older vulnerability rather than a zero-day flaw.
  • Wave of 150 crypto-draining extensions hits Firefox add-on store: A malicious campaign dubbed ‘GreedyBear’ has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims.
  • Payback: ‘ShinyHunters’ Clocks Google via Salesforce: In 2024, it was Snowflake. In 2025, it’s Salesforce. ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas.
  • 🏴‍☠️ Everest has just published a new victim : Pacific HealthWorks: [AI generated] Pacific HealthWorks is a management services organization based in Los Angeles, United States.
  • 🏴‍☠️ Incransom has just published a new victim : multichem.net: MULTICHEM: THE INK SPECIALISTS Creating inks since 1973, Multichem has earned a global reputation for quality, service and technical support.
  • 🏴‍☠️ Sinobi has just published a new victim : Main Electric Supply Co.: Main Electric Supply Company was founded on October 14th, 1946 by Charles Vowels and Burt McCombs.
  • 🏴‍☠️ Lynx has just published a new victim : Admiral Gaming Network: Security Breach Announcement
  • 🏴‍☠️ Qilin has just published a new victim : shinko plastics co. ltd: Shinko plastics co. ltd Sales of plastic sheet, plastic film, raw material, and related sub-material and plastic finished goods.
  • 🏴‍☠️ Qilin has just published a new victim : Belmont christian college: Belmont Christian College is a school in Australia located in the state of New South Wales.
  • 🏴‍☠️ Blacknevas has just published a new victim : Quality Data Service, Inc.: Today, we’re opening the auction.Over the past several weeks, we’ve completed a full exfiltration from the infrastructure of Quality Data Service, Inc., Connecticut’s most “trusted” municipal software provider.
  • 🏴‍☠️ Medusa has just published a new victim : PANSARD & ASSOCIES: PANSARD & ASSOCIES has developed three complementary activities to assist companies in their day-to-day operations and facilitate strategic planning relating to enterprise and asset growth and maximization.
  • 🏴‍☠️ Play has just published a new victim : Jamco Aerospace: United States