Latest Ransomware News and New File Extensions
-
Incransom:
- New Encrypted File Extension: Not specified in the provided articles.
- Attack Methods: Data exfiltration and public shaming on a leak site.
- Targets: Healthcare (Louis Tieu DDS MD) and Financial Services (Howard Financial & Associates).
- Decryption Status: No known public decryption tool.
- Source: URL not provided.
-
Weyhro:
- New Encrypted File Extension: Not specified in the provided articles.
- Attack Methods: Data exfiltration and public shaming on a leak site.
- Targets: Social Services (Community Services of Missouri) and Waste Management (Chemtron RiverBend).
- Decryption Status: No known public decryption tool.
- Source: URL not provided.
-
Qilin:
- New Encrypted File Extension: Not specified in the provided articles.
- Attack Methods: Data exfiltration and public shaming on a leak site.
- Targets: Geoscience/Energy (getech.com), Education (St Thomas More Catholic High School), Manufacturing (jtekt.eu), and Financial Services (formacompany).
- Decryption Status: No known public decryption tool.
- Source: URL not provided.
-
Play:
- New Encrypted File Extension: Not specified in the provided articles.
- Attack Methods: Data exfiltration and public shaming on a leak site.
- Targets: Organizations in Canada (NEAS) and the United States (RHI Supply, CFI Tire Service).
- Decryption Status: No known public decryption tool.
- Source: URL not provided.
-
Other Active Groups (Rhysida, Worldleaks, Securotrop, Bqtlock):
- New Encrypted File Extension: Not specified in the provided articles.
- Attack Methods: Data exfiltration and public shaming on a leak site.
- Targets: A wide range of sectors including IT (Alascom), Defense Contracting (L3Harris Technologies), Telecommunications (TigerCommunications), and Business Services (European Business Server Cluster).
- Decryption Status: No known public decryption tool.
- Source: URL not provided.
Observations and Further Recommendations
- Ransomware groups remain highly active, employing a double-extortion strategy of encrypting files and leaking stolen data. The attacks target a diverse array of industries, including critical sectors like defense, healthcare, and finance.
- An actively exploited zero-day vulnerability (CVE-2025-8088) in WinRAR is a significant threat. This could serve as an initial access vector for ransomware attacks. All users are urged to update to the latest version immediately.
- A separate high-severity vulnerability in Microsoft Exchange servers remains unpatched on over 29,000 systems, posing a severe risk of lateral movement and domain compromise for affected organizations.
- The continued success of these attacks highlights the critical need for organizations to prioritize security hygiene, including timely software patching, robust data backup and recovery plans, and employee training to recognize phishing attempts.
News Details
- WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately: The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been described as a case of path traversal affecting the Windows version of the tool that could be exploited to obtain arbitrary code execution by crafting malicious archive files.
- Over 29,000 Exchange servers unpatched against high-severity flaw: Over 29,000 Exchange servers exposed online remain unpatched against a high-severity vulnerability that can let attackers move laterally in Microsoft cloud environments, potentially leading to complete domain compromise.
- Connex Credit Union data breach impacts 172,000 members: Connex, one of Connecticut’s largest credit unions, warned tens of thousands of members that unknown attackers had stolen their personal and financial information after breaching its systems in early June.
- Google confirms data breach exposed potential Google Ads customers’ info: Google has confirmed that a recently disclosed data breach of one of its Salesforce CRM instances involved the information of potential Google Ads customers.
- Hyundai wants Ioniq 5 owners to pay to fix a keyless entry security hole: Hyundai is now offering an “optional” security upgrade for the Ioniq 5 in the UK that prevents the car being stolen with a Game Boy-like device. Hyundai wants some Ioniq 5 owners to pay a £49 ($65) to upgrade hardware and software components to prevent thieves using handheld devices to unlock and start cars without needing a key.
- 🏴☠️ Incransom has just published a new victim : Louis Tieu DDS MD: Dr. Louis Tiu was born in Taiwan and raised in Rowland Heights, California… He is responsible for the leak of more than 500 pieces of personal data belonging to his clients
- 🏴☠️ Weyhro has just published a new victim : Community Services of Missouri: [AI generated] Community Services of Missouri is an organization that provides a range of services to aid individuals and communities. These services include driver improvement programs, drug education and prevention programs, substance abuse traffic offender programs, and probation services.
- 🏴☠️ Qilin has just published a new victim : St Thomas More Catholic High School: St. Thomas More Catholic High School is one of the most famous and prestigious schools in Louisiana, USA. Every child in Lafayette wants to study here, and parents are willing to pay a lot to get their child into this elite environment.
- 🏴☠️ Worldleaks has just published a new victim : L3Harris Technologies: [AI generated] L3Harris Technologies is a leading technology innovator and defense contractor company based in the US. Created in 2019 from the merger of L3 Technologies and Harris Corporation, it specializes in communications, electronics, and space and intelligence systems.
- New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP: A novel attack technique could be weaponized to rope thousands of public domain controllers (DCs) around the world to create a malicious botnet and use it to conduct powerful distributed denial-of-service (DDoS) attacks.
- 6 Lessons Learned: Focusing Security Where Business Value Lives: The Evolution of Exposure Management. Most security teams have a good sense of what’s critical in their environment. What’s harder to pin down is what’s business-critical. These are the assets that support the processes the business can’t function without.
- Researchers Detail Windows EPM Poisoning Exploit Chain Leading to Domain Privilege Escalation: Cybersecurity researchers have presented new findings related to a now-patched security issue in Microsoft’s Windows Remote Procedure Call (RPC) communication protocol that could be abused by an attacker to conduct spoofing attacks and impersonate a known server.
- Linux-Based Lenovo Webcams’ Flaw Can Be Remotely Exploited for BadUSB Attacks: Cybersecurity researchers have disclosed vulnerabilities in select model webcams from Lenovo that could turn them into BadUSB attack devices. “This allows remote attackers to inject keystrokes covertly and launch attacks independent of the host operating system.”
- Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models: Cybersecurity researchers have uncovered multiple security flaws in Dell’s ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install.
- Google Calendar invites let researchers hijack Gemini to leak user data: Google fixed a bug that allowed maliciously crafted Google Calendar invites to remotely take over Gemini agents running on the target’s device and leak sensitive user data.
- AOL is finally shutting down dial-up: AOL dial-up is ending on September 30th according to a statement posted on the company’s website. It marks the end of the service that was synonymous with the internet for many since its launch in 1991.