Ransomware Update – 2025-08-13

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Charon Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A new ransomware family employing advanced persistent threat (APT) tactics, including DLL side-loading, process injection, and other evasion techniques.
    • Targets: Public sector and aviation industry organizations in the Middle East.
    • Decryption Status: No known decryption method is available.
    • Source: https://thehackernews.com/2025/08/charon-ransomware-hits-middle-east.html

  • ShinyHunters & Scattered Spider:

    • New Encrypted File Extension: Not applicable (data extortion).
    • Attack Methods: The two cybercrime groups are collaborating on data extortion campaigns, shifting tactics from simple credential theft to large-scale data theft and extortion, initially targeting Salesforce customers.
    • Targets: Businesses using Salesforce, with potential expansion to financial services and technology providers. Allianz Life has been identified as a victim.
    • Decryption Status: Not applicable; this is primarily a data theft and extortion operation.
    • Source: https://thehackernews.com/2025/08/shinyhunters-scattered-spider-join.html

  • BlackSuit Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data encryption and extortion targeting critical infrastructure.
    • Targets: Various sectors, with a history of targeting critical infrastructure.
    • Decryption Status: No public decryptor available, but law enforcement has successfully disrupted their operations by seizing infrastructure and over $1 million in cryptocurrency.
    • Source: https://www.bleepingcomputer.com/news/security/us-govt-seizes-1-million-in-crypto-from-blacksuit-ransomware-gang/

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and public leak for extortion.
    • Targets: Recently published data from Litchfield Cavo LLP, a U.S. law firm, leaking over 300GB of sensitive corporate and client data.
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware leak site post.

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and public leak for extortion.
    • Targets: Various entities, including Ahtna Inc. (construction), Belle Vernon Area School District, and Northern Construction Service.
    • Decryption Status: No known decryption method is available.
    • Source: Ransomware leak site post.

Observations and Further Recommendations

  • New ransomware families like Charon are adopting sophisticated, APT-level evasion techniques, making detection and prevention more challenging.
  • A significant trend is the collaboration between prominent cybercrime groups, such as ShinyHunters and Scattered Spider, to combine skills for more impactful data extortion campaigns.
  • Law enforcement continues to disrupt ransomware operations, as evidenced by the successful seizure of assets from the BlackSuit gang.
  • Proactive security remains crucial. Organizations should prioritize patching critical vulnerabilities, such as those addressed in Microsoft’s August 2025 Patch Tuesday and the actively exploited Citrix NetScaler flaw, and be aware of supply chain risks like the persistent XZ backdoor in Docker Hub images.

News Details

  • Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics: Cybersecurity researchers have discovered a new campaign that employs a previously undocumented ransomware family called Charon to target the Middle East’s public sector and aviation industry. The threat actor behind the activity, according to Trend Micro, exhibited tactics mirroring those of advanced persistent threat (APT) groups, such as DLL side-loading, process injection, and the ability to evade security.

  • Cybercrime Groups ShinyHunters, Scattered Spider Join Forces in Extortion Attacks on Businesses: An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show. This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group’s previous credential theft and database sales.

  • Hackers leak Allianz Life data stolen in Salesforce attacks: Hackers have released stolen data belonging to US insurance giant Allianz Life, exposing 2.8 million records with sensitive information on business partners and customers in ongoing Salesforce data theft attacks.

  • US govt seizes $1 million in crypto from BlackSuit ransomware gang: The U.S. Department of Justice (DoJ) seized cryptocurrency and digital assets worth $1,091,453 at the time of confiscation, on January 9, 2024, from the BlackSuit ransomware gang.

  • Microsoft August 2025 Patch Tuesday Fixes Kerberos Zero-Day Among 111 Total New Flaws: Microsoft on Tuesday rolled out fixes for a massive set of 111 security flaws across its software portfolio, including one flaw that has been disclosed as publicly known at the time of the release. Of the 111 vulnerabilities, 16 are rated Critical, 92 are rated Important, two are rated Moderate, and one is rated Low in severity.

  • 🏴‍☠️ Akira has just published a new victim : Litchfield Cavo LLP: Litchfield Cavo LLP is a premier coverage and litigation defense law firm founded in 1998 on one principal – client service comes first. We are ready to upload more than 300GB files of essential corporate documents such as: financial data (audit, payment details, financial reports, invoices), employees and customers information (driver’s license, Social Security Numbers, death certificate, medical information) confidential information, NDA and so on.

  • Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors: The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country. The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands.

  • Researchers Spot XZ Utils Backdoor in Dozens of Docker Hub Images, Fueling Supply Chain Risks: New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident. More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection further in a transitive manner.