Ransomware Update – 2025-08-09

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Royal and BlackSuit:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Breaching corporate networks for data exfiltration and encryption. Their infrastructure was recently dismantled by law enforcement.
    • Targets: Over 450 U.S. companies across various sectors.
    • Decryption Status: Infrastructure dismantled, but no public decryption tools mentioned.
    • Source: News Article

  • LockBit (Delivered via SocGholish):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Initial access is gained through SocGholish malware, which is spread via Traffic Distribution Systems (TDSs). Infected systems are then sold as access points to ransomware groups like LockBit.
    • Targets: General users redirected from legitimate websites, with access sold to cybercriminal organizations.
    • Decryption Status: Not specified.
    • Source: News Article

  • Ransomware Groups Using New EDR Killer:

    • Prominent Details if No Name: A new EDR (Endpoint Detection and Response) killer tool, evolved from ‘EDRKillShifter’, is being used by at least eight ransomware groups, including RansomHub.
    • New Encrypted File Extension: Not applicable (this is a pre-attack tool).
    • Attack Methods: The tool is used to disable or evade EDR security solutions to allow for the unimpeded deployment of ransomware.
    • Targets: Organizations protected by EDR security software.
    • Decryption Status: Not applicable.
    • Source: News Article

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via a public leak site.
    • Targets: CIMEXSTEEL.CZ (Czech manufacturing), Shinko Plastics Co. Ltd (Japanese plastics leader), and Belmont Christian College (Australian school).
    • Decryption Status: No known public decryptor; the primary threat is data leakage.
    • Source: Ransomware Leak Site Publication

  • Everest:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Viking Automation, Pacific HealthWorks (US healthcare management), and La Perouse (revenue cycle management).
    • Decryption Status: No known public decryptor.
    • Source: Ransomware Leak Site Publication

  • Sinobi:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Dyson Corp. (US industrial supplier) and Main Electric Supply Co. (US electrical supplier).
    • Decryption Status: No known public decryptor.
    • Source: Ransomware Leak Site Publication

  • RomCom Malware (via WinRAR Zero-Day):

    • Prominent Details if No Name: A WinRAR zero-day vulnerability (CVE-2025-8088) is being used to deliver malware.
    • New Encrypted File Extension: Not applicable (malware deployment, not specified as ransomware).
    • Attack Methods: Phishing attacks containing a malicious archive file. When extracted using a vulnerable WinRAR version, the exploit installs the RomCom malware.
    • Targets: General users of WinRAR software.
    • Decryption Status: Not applicable.
    • Source: News Article

Observations and Further Recommendations

  • Diverse and Evolving Attack Vectors: Threat actors are leveraging a wide range of tactics, including initial access brokers (SocGholish), exploitation of zero-day vulnerabilities (WinRAR), and the use of specialized tools to disable security software (EDR killers). This highlights the need for a multi-layered security approach.
  • Data Exfiltration as the Primary Threat: The majority of recent ransomware group activity involves publishing victims on leak sites. This confirms the dominance of the “double extortion” model, where the threat of releasing sensitive stolen data is used as the main leverage for payment.
  • Broad Industry Targeting: The victim list shows no industry is safe, with recent targets including manufacturing, healthcare, education, technology, and professional services across the US, Europe, and Australia.
  • General Recommendations: Organizations should prioritize timely patching of all software, especially widely used applications like WinRAR. Employee training on phishing awareness is crucial. A robust defense-in-depth strategy, including EDR solutions and immutable backups, is essential to counter advanced threats that aim to disable security controls.

News Details

  • CyberArk and HashiCorp Flaws Enable Remote Vault Takeover Without Credentials: Cybersecurity researchers have discovered over a dozen vulnerabilities in enterprise secure vaults from CyberArk and HashiCorp that, if successfully exploited, can allow remote attackers to crack open corporate identity systems and extract enterprise secrets and tokens from them.
  • AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims: Cybersecurity researchers are drawing attention to a new campaign that’s using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign.
  • Leaked Credentials Up 160%: What Attackers Are Doing With Them: When an organization’s credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password.
  • RubyGems, PyPI Hit by Malicious Packages Stealing Credentials, Crypto, Forcing Security Changes: A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users and likely resell them on dark web forums like Russian Market.
  • GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions: A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets.
  • SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others: The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content.
  • OpenAI to fix GPT-5 issues, double rate limits for paid users after outrage: OpenAI’s CEO, Sam Altman, overpromised on GPT-5, and real-life results are underwhelming, but it looks like a new update is rolling out that might address some of the concerns.
  • WinRAR zero-day exploited to plant malware on archive extraction: A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
  • FTC: older adults lost record $700 million to scammers in 2024: Americans aged 60 and older lost a staggering $700 million to online scams in 2024, marking a sharp rise in fraud targeting seniors, according to the Federal Trade Commission.
  • U.S. Judiciary confirms breach of court electronic records service: The U.S. Federal Judiciary confirms that it suffered a cyberattack on its electronic case management systems hosting confidential court documents and is strengthening cybersecurity measures.
  • Microsoft 365 apps to soon block file access via FPRPC by default: Microsoft has announced that the Microsoft 365 apps for Windows will start blocking access to files via the insecure FPRPC legacy authentication protocol by default starting late August.
  • Microsoft will kill the Lens PDF scanner app for iOS, Android: Microsoft announced that it will phase out the Microsoft Lens PDF scanner app for Android and iOS devices starting September 15, 2025.
  • Columbia University data breach impacts nearly 870,000 individuals: An unknown threat actor has stolen the sensitive personal, financial, and health information of nearly 870,000 Columbia University current and former students and employees after breaching the university’s network in May.
  • Royal and BlackSuit ransomware gangs hit over 450 US companies: The U.S. Department of Homeland Security (DHS) says the cybercrime gang behind the Royal and BlackSuit ransomware operations had breached hundreds of U.S. companies before their infrastructure was dismantled last month.
  • Fake WhatsApp developer libraries hide destructive data-wiping code: Two malicious NPM packages posing as WhatsApp development tools have been discovered deploying destructive data-wiping code that recursively deletes files on a developer’s computers.
  • CISA orders fed agencies to patch new Exchange flaw by Monday: CISA has issued an emergency directive ordering all Federal Civilian Executive Branch (FCEB) agencies to mitigate a critical Microsoft Exchange hybrid vulnerability tracked as CVE-2025-53786 by Monday morning at 9:00 AM ET.
  • ChatGPT’s GPT-5 models released: everything you need to know: After a long wait, GPT-5 is finally rolling out. It’s available for free, Plus, Pro and Team users today. This means everyone gets to try GPT-5 today, but paid users get higher limits.
  • New EDR killer tool used by eight different ransomware groups: A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
  • Bouygues Telecom confirms data breach impacting 6.4 million customers: Bouygues Telecom warns it suffered a data breach after the personal information of 6.4 million customers was exposed in a cyberattack.
  • Cybersecurity Incident at Allianz Life Exposes Personal Information of Hundreds of Thousands: [Content not provided]
  • 860K Compromised in Columbia University Data Breach: While no data has yet to be misused, the university doesn’t rule out the possibility of that occurring in the future, prompting it to warn affected individuals to remain vigilant in the wake of the breach.
  • 🏴‍☠️ Cloak has just published a new victim : Wstg-steuerberater.de: Seit über dreißig Jahren betreuen Frank Hoffmann und Stephan Hofmann zuverlässig Mandanten an Rhein und Ruhr und aus dem Bergischen Land.
  • 🏴‍☠️ Everest has just published a new victim : Viking Automation: [AI generated] N/A
  • 🏴‍☠️ Sinobi has just published a new victim : Dyson Corp.: Dyson Corporation is a prominent supplier of large diameter, domestic fasteners and forges tailored primarily for the heavy construction, military, marine, aerospace, and energy sectors.
  • 🏴‍☠️ Lynx has just published a new victim : Drive & Shine: Drive & Shine is a premier car care service that offers express car washes, interior cleaning, detailing, and oil changes at locations in Michigan and Indiana.
  • 🏴‍☠️ Safepay has just published a new victim : mauilodging.com: [AI generated] MauiLodging.com is a property rental service company based in Maui, Hawaii. This firm specializes in providing a wide range of accommodation options as per user requirements, from luxury villas to economical vacation rentals.
  • 🏴‍☠️ Qilin has just published a new victim : CIMEXSTEEL.CZ: The Czech holding company CS STEEL a.s. manufactures and sells metal structures for private and public sector clients. A small company that failed to protect its infrastructure has put dozens of its clients at risk.
  • 🏴‍☠️ Incransom has just published a new victim : multichem.net: MULTICHEM: THE INK SPECIALISTS Creating inks since 1973, Multichem has earned a global reputation for quality, service and technical support.