Latest Ransomware News and New File Extensions
-
Crypto24:
- New Encrypted File Extension: Not specified.
- Attack Methods: Employs advanced techniques capable of bypassing Endpoint Detection and Response (EDR) security systems, indicating a high level of technical skill.
- Targets: Major international organizations, including CMS Legal Services EEIG, a large law firm.
- Decryption Status: No known decryption method. The group leaks highly confidential data, including files related to government projects, sensitive contracts, and internal financial records.
- Source: New Crypto24 Ransomware Attacks Bypass EDR
-
Warlock:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified in the reports, which focus on victim announcements.
-
Targets: A wide range of high-profile global companies, including Colt Telecommunications (
colt.net), Orange (orange.com), Hitachi (hitachi-hta.com), and Syspro (syspro.com). - Decryption Status: No known decryption method. Data is either sold to third parties or publicly released if the victim does not pay.
- Source: Threat intelligence feed announcing new victims.
-
Akira:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Manufacturing sector, with Hytrol Conveyor Company, Inc. named as a recent victim.
- Decryption Status: No known decryption method. The group threatened to release over 20GB of sensitive financial data, employee information (including SSNs), and customer details.
- Source: Threat intelligence feed announcing new victims.
-
Beast:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: The healthcare sector, specifically Rehabilitative Health Services (RHS), a medical and mental health facility in Idaho.
- Decryption Status: No known decryption method.
- Source: Threat intelligence feed announcing new victims.
-
Incransom:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
-
Targets: Various industries, including accounting (
mycpaconnection.com), private aviation (MJets), and industrial services (Töller). - Decryption Status: No known decryption method.
- Source: Threat intelligence feed announcing new victims.
-
Qilin:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: European companies in the packaging and cosmetics sectors, including Ethical Packaging (UK) and Xpert Professional (Ireland).
- Decryption Status: No known decryption method.
- Source: Threat intelligence feed announcing new victims.
Observations and Further Recommendations
- A significant number of ransomware groups, including Warlock, Akira, Incransom, and Qilin, are highly active, targeting a diverse array of industries globally, from telecommunications and legal services to manufacturing and healthcare.
- The technical capabilities of threat actors are advancing, as demonstrated by the Crypto24 group’s ability to develop ransomware that bypasses modern Endpoint Detection and Response (EDR) solutions.
- This highlights the need for organizations to implement a defense-in-depth security strategy. Relying solely on EDR is insufficient. Recommendations include maintaining immutable, offline backups, enforcing multi-factor authentication (MFA), and conducting regular security awareness training to mitigate risks from sophisticated attacks.
News Details
- New Crypto24 Ransomware Attacks Bypass EDR: While several cybercrime groups have embraced “EDR killers,” researchers say the deep knowledge and technical skills demonstrated by Crypto24 signify a dangerous escalation.
- Colt Telecommunications Struggles in Wake of Cyber Incident: The UK telco said it temporarily took some systems offline as a “protective” measure in its investigation.
- 🏴☠️ Warlock has just published a new victim : colt.net: 1 million documents,The full set of files needs to be purchased separately.
- 🏴☠️ Crypto24 has just published a new victim : CMS Legal Services EEIG: We are in possession of highly confidential data belonging to CMS, one of the largest international law firms, including government and national infrastructure project files, sensitive contracts with multinational corporations, tax authority system access records, internal financial and legal documents, as well as payroll and personnel information.
- 🏴☠️ Akira has just published a new victim : Hytrol: Hytrol Conveyor Company, Inc. was founded in 1947. […] We are ready to upload more than 20GB files of essential corporate documents such as: financial data (audit, payment details,financial reports, invoices), employees and customers (and even relatives) information (Social Security Card, death certificate, medical information) and other documents with detailed personal information so on.
- 🏴☠️ Beast has just published a new victim : Rehabilitative Health Svc: Rehabilitative Health Services (RHS) is a comprehensive medical and mental health facility located in Ammon, ID, offering a diverse array of services including Addiction and Recovery, Family Medicine, Therapy, Counseling, and Psychological Testing.
- 🏴☠️ Incransom has just published a new victim : mycpaconnection.com: Employees: 25 Revenue:$5 Million Industry:Accounting Services Phone Number:(704) 878-9541 SENSITIVE DATA_$
- 🏴☠️ Qilin has just published a new victim : ethicalpackaging.co.uk: Ethical Packaging, UK, is a company that provides printing services and packaging production. The company works with world-renowned brands such as Hermes and the Ferrero Group.
- ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure: Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators’ infrastructure. “The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications,” Hunt.io
- Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware: The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads. Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger
- Researcher to release exploit for full auth bypass on FortiWeb: A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attacker to bypass authentication.