Ransomware Update – 2025-08-16

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • WarLock Ransomware:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: A cyberattack leading to multi-day outages of company operations. Data was exfiltrated and put up for sale.
    • Targets: Colt Technology Services, a UK-based telecommunications company.
    • Decryption Status: No known free decryptor is available; the attackers are attempting to sell the stolen data.
    • Source: https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/

  • Crypto24 Ransomware:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Employs custom utilities designed to bypass and evade Endpoint Detection and Response (EDR) security solutions to exfiltrate data and encrypt files.
    • Targets: Large organizations. Recently announced victims include CMS Legal Services and Karndean International.
    • Decryption Status: No known free decryptor is available.
    • Source: https://www.bleepingcomputer.com/news/security/crypto24-ransomware-hits-large-orgs-with-custom-edr-evasion-tool/

  • Multiple Ransomware Victim Announcements:

    • Prominent Details: Numerous ransomware groups, including Akira, Qilin, D4rk4rmy, Interlock, Incransom, Anubis, Everest, Play, and others, have published new victims on their data leak sites.
    • Attack Methods: The primary method is data exfiltration, followed by public naming and threats to release sensitive information to extort payment.
    • Targets: A wide range of global industries, including legal firms, technology companies, school districts, manufacturing, and financial services.
    • Decryption Status: No decryption tools are mentioned; the focus is on data leak extortion.
    • Source: Ransomware group leak sites.

Observations and Further Recommendations

  • Ransomware activity remains high, with numerous groups actively targeting diverse sectors worldwide. The list of recent victims highlights the indiscriminate nature of these attacks.
  • A significant trend is the increasing technical sophistication of attackers. The Crypto24 group’s use of custom tools to bypass EDR security demonstrates an escalation in capabilities, posing a greater threat to well-defended organizations.
  • The dominant strategy continues to be “double extortion,” where attackers not only encrypt files but also steal sensitive data and threaten to publish it.
  • It is recommended that organizations implement a defense-in-depth security strategy. This should include advanced endpoint protection, network segmentation, strict access controls, regular security awareness training for employees, and maintaining immutable, offline backups for disaster recovery.

News Details

  • ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure: Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators’ infrastructure. “The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications,”
  • Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware: The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads. Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger
  • Taiwan Web Servers Breached by UAT-7237 Using Customized Open-Source Hacking Tools: A Chinese-speaking advanced persistent threat (APT) actor has been observed targeting web infrastructure entities in Taiwan using customized versions of open-sourced tools with an aim to establish long-term access within high-value victim environments. The activity has been attributed by Cisco Talos to an activity cluster it tracks as UAT-7237, which is believed to be active since at least 2022.
  • U.S. Sanctions Garantex and Grinex Over $100M in Ransomware-Linked Illicit Crypto Transactions: The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday renewed sanctions against Russian cryptocurrency exchange platform Garantex for facilitating ransomware actors and other cybercriminals by processing more than $100 million in transactions linked to illicit activities since 2019. The Treasury said it’s also imposing sanctions on Garantex’s successor, Grinex
  • Zero Trust + AI: Privacy in the Age of Agentic AI: We used to think of privacy as a perimeter problem: about walls and locks, permissions, and policies. But in a world where artificial agents are becoming autonomous actors — interacting with data, systems, and humans without constant oversight — privacy is no longer about control. It’s about trust. And trust, by definition, is about what happens when you’re not looking. Agentic AI — AI that
  • Cisco Warns of CVSS 10.0 FMC RADIUS Flaw Allowing Remote Code Execution: Cisco has released security updates to address a maximum-severity security flaw in Secure Firewall Management Center (FMC) Software that could allow an attacker to execute arbitrary code on affected systems. The vulnerability, assigned the CVE identifier CVE-2025-20265 (CVSS score: 10.0), affects the RADIUS subsystem implementation that could permit an unauthenticated, remote attacker to inject
  • Colt Telecom attack claimed by WarLock ransomware, data up for sale: UK-based telecommunications company Colt Technology Services is dealing with a cyberattack that has caused a multi-day outage of some of the company’s operations, including hosting and porting services, Colt Online and Voice API platforms. […]
  • Cisco warns of max severity flaw in Firewall Management Center: Cisco is warning about a critical remote code execution (RCE) vulnerability in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software. […]
  • Microsoft reminds of Windows 10 support ending in two months: Microsoft has reminded customers that Windows 10 will be retired in two months after all editions of Windows 10, version 22H2 reach their end of servicing on October 14. […]
  • Plex warns users to patch security vulnerability immediately: Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability. […]
  • US sanctions Grinex crypto-exchange, successor to Garantex: The U.S. Department of the Treasury has announced sanctions against Grinex, the successor to Russian cryptocurrency exchange Garantex, which was previously sanctioned for helping ransomware gangs launder their money. […]
  • Over $300 million in cybercrime crypto seized in anti-fraud effort: More than $300 million worth of cryptocurrency linked to cybercrime and fraud schemes has been frozen due to two separate initiatives involving law enforcement and private companies. […]
  • Crypto24 ransomware hits large orgs with custom EDR evasion tool: The Crypto24 ransomware group has been using custom utilities to evade security solutions on breached networks, exfiltrate data, and encrypt files. […]
  • A brazen attack on air safety is underway — here’s what’s at stake: At the end of July, the National Transportation Safety Board (NTSB) convened a three-day public hearing to investigate January’s mid-air collision over Washington, DC that killed 67 people. After the hearing, two conclusions were inescapable.
  • Laura Loomer and the limits of posting everything: For all the power she wields with the White House’s affairs, Laura Loomer does not have the traditional tools that her rivals in the MAGA influencer industrial complex have – the highest follower count, the most political power, the most internet platforms, etc.
  • The best budget smartphone you can buy: You can get a great budget device these days if you know how to pick your priorities. Some of us take a kind of “I eat to live” rather than an “I live to eat” approach to gadgets.
  • Louisiana sues Roblox for creating an environment where ‘child predators thrive’: The state of Louisiana has filed a lawsuit against Roblox, alleging that the company has “permitted and perpetuated an online environment in which child predators thrive, directly contributing to the widespread victimization of minor children in Louisiana.”
  • Here are the best AirPods deals you can get right now: If you know where to look, you can often score discounts on Apple’s ever-expanding AirPods lineup. Both the newer AirPods Max and AirPods 4 (with and without ANC) now consistently receive discounts, as do the latest AirPods Pro with USB-C.
  • What my first five Steam purchases say about me: There’s a meme currently going around Bluesky where people are posting their first purchases on Steam. Taking a look presents a neat time capsule, offering a glimpse of who we used to be.
  • PBS is slashing its budget in response to Trump’s attack on public media: Now that Congress has passed a bill that will defund the Corporation for Public Broadcasting, PBS is taking drastic measures to stay alive.
  • Anker’s 3-in-1 Qi2 charging station has returned to its Prime Day low: If you’ve ever juggled a phone, a smartwatch, and a pair of wireless earbuds, you know the struggle of keeping them all charged. Rather than go through the process of charging them one by one, a quality charging station can help you manage the chaos and reduce cable clutter.
  • A treaty to end plastic pollution is still out of reach — that’s not necessarily a bad thing: The nations of the world have been on the precipice of reaching a global agreement to curb plastic pollution for a few years now. Delegates from 184 governments met in Geneva this month to try to hammer out a final treaty, but in the end, they walked away without a deal.
  • Anthropic has new rules for a more dangerous AI landscape: Anthropic has updated the usage policy for its Claude AI chatbot in response to growing concerns about safety. In addition to introducing stricter cybersecurity rules, Anthropic now specifies some of the most dangerous weapons that people should not develop using Claude.
  • New Crypto24 Ransomware Attacks Bypass EDR: While several cybercrime groups have embraced “EDR killers,” researchers say the deep knowledge and technical skills demonstrated by Crypto24 signify a dangerous escalation.
  • Colt Telecommunications Struggles in Wake of Cyber Incident: The UK telco said it temporarily took some systems offline as a “protective” measure in its investigation.
  • Water Systems Under Attack: Norway, Poland Blame Russia Actors: Water and wastewater systems have become a favored target of nation-state actors, drawing increasing scrutiny following attacks on systems in multiple countries.
  • 🏴‍☠️ Crypto24 has just published a new victim : CMS Legal Services EEIG: We are in possession of highly confidential data belonging to CMS, one of the largest international law firms, including government and national infrastructure project files, sensitive contracts with multinational corporations, tax authority system access records, internal financial and legal documents, as well as payroll and personnel information.
  • 🏴‍☠️ D4rk4rmy has just published a new victim : THE MILLENNIUM GROUP: The Millennium Group (TMG) is a global provider of document management and workplace services with more than 40 years of operations. TMG is certified as a Minority Business Enterprise (MBE) and a Woman-Owned Business Enterprise (WBE).
  • 🏴‍☠️ D4rk4rmy has just published a new victim : VINSON & ELKINS LLP: Vinson & Elkins is a century-strong global law firm that partners with leading companies across key industries on wide‑ranging, complex matters.
  • 🏴‍☠️ Qilin has just published a new victim : ethicalpackaging.co.uk: Ethical Packaging, UK, is a company that provides printing services and packaging production. The company works with world-renowned brands such as Hermes and the Ferrero Group.
  • 🏴‍☠️ Incransom has just published a new victim : MJets: MJets was founded in 2007 thanks to the visionary partnership between William E. Heinicke, an aviation enthusiast with an unquenchable passion for flying, and Kirith Shah, one of Thailand’s most respected businessmen.
  • 🏴‍☠️ Akira has just published a new victim : ZMM: ZMM Architects and Engineers is an award-winning design firm with offices in West Virginia, Virginia, and Ohio, providing integrated professional services. We are ready to upload more than 50GB files of essential corporate documents.