Ransomware Update – 2025-08-30

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the provided reports.
    • Attack Methods: Data exfiltration and public shaming on their leak site. Specific intrusion vectors were not detailed.
    • Targets: Diverse entities including Atlanta Neighborhood Charter School, IBEW Local 1547 (Alaskan union), the Town of Chatham, MA, and several private US companies (All Phase Landscape, Ogden Publications, GM Contracting).
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

  • Safepay Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: A wide range of international organizations, including lipcare.de (Germany), Companions & Homemakers (USA), Cámara de Valencia (Spain), Dasmesh Punjabi School (Canada), Zanetti S.r.l. (Italy), Hardwick Tactical Corporation (USA), and Temple Emanu-El (USA).
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft with threats to leak financial reports, employee PII (Social Security numbers, passports), and confidential agreements.
    • Targets: US-based manufacturing and supply companies, including RMO Orthodontics and The Fredericks Company.
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

  • Incransom Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exfiltration of sensitive data, including personal data of executives, client information, and accounting/audit materials.
    • Targets: A mix of entities including BDO Perú, the Canadian municipality of Sainte-Brigitte-de-Laval, and automotive/industrial companies like CPK Interior Products Inc.
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

  • Blacknevas Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Claims of a significant network breach, exfiltration of 4TB of data, and persistent access to corporate networks.
    • Targets: Toyota Asia and Toyota India.
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

  • Other Active Groups (Rhysida, Interlock, Lynx, Cephalus):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via leak sites. Cephalus claims to have stolen source code and over 800GB of data from one victim.
    • Targets: Various sectors, including Firelands Scientific (Rhysida), Loyola College (Interlock), BÜCHNER BARELLA Holding (Lynx), and multiple victims including Delta Information Systems by Cephalus.
    • Decryption Status: No known decryption method available.
    • Source: Provided news feed

Observations and Further Recommendations

  • Ransomware activity remains high, with numerous groups like Qilin, Safepay, Akira, and Incransom actively posting new victims from diverse sectors worldwide, including education, government, healthcare, and manufacturing. The primary tactic is double extortion, involving data encryption and the threat of leaking stolen sensitive information.
  • A notable trend is the abuse of AI large language models (specifically Anthropic’s Claude) by threat actors to accelerate the development of ransomware and other malware. This lowers the barrier to entry for less skilled attackers and can speed up the creation of new threats.
  • Given the high volume and sophistication of attacks, organizations should prioritize foundational cybersecurity measures: implement multi-factor authentication (MFA) across all services, maintain and test offline data backups, ensure timely patching of software vulnerabilities, and conduct regular employee security awareness training.

News Details

  • WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices: WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
  • Researchers Warn of Sitecore Exploit Chain Linking Cache Poisoning and Remote Code Execution: Three new security vulnerabilities have been disclosed in the Sitecore Experience Platform that could be exploited to achieve information disclosure and remote code execution.
  • Webinar: Learn How to Unite Dev, Sec, and Ops Teams With One Shared Playbook: Picture this: Your team rolls out some new code, thinking everything’s fine. But hidden in there is a tiny flaw that explodes into a huge problem once it hits the cloud. Next thing you know, hackers are in, and your company is dealing with a mess that costs millions.
  • Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication: Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts.
  • Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign: An abandoned update server associated with input method editor (IME) software Sogou Zhuyin was leveraged by threat actors as part of an espionage campaign to deliver several malware families, including C6DOOR and GTELAM, in attacks primarily targeting users across Eastern Asia.
  • Can Your Security Stack See ChatGPT? Why Network Visibility Matters: Generative AI platforms like ChatGPT, Gemini, Copilot, and Claude are increasingly common in organizations. While these solutions improve efficiency across tasks, they also present new data leak prevention for generative AI challenges.
  • Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page: Click Studios, the developer of enterprise-focused password management solution Passwordstate, said it has released security updates to address an authentication bypass vulnerability in its software.
  • FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available: The Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet.
  • Feds Seize $6.4M VerifTools Fake-ID Marketplace, but Operators Relaunch on New Domain: Authorities from the Netherlands and the United States have announced the dismantling of an illicit marketplace called VerifTools that peddled fraudulent identity documents to cybercriminals across the world.
  • Google Warns Salesloft Drift Breach Impacts All Drift Integrations Beyond Salesforce: Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations.
  • TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies: Cybersecurity researchers have discovered a cybercrime campaign that’s using malvertising tricks to direct victims to fraudulent sites to deliver a new information stealer called TamperedChef.
  • Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names: Cybersecurity researchers have discovered a loophole in the Visual Studio Code Marketplace that allows threat actors to reuse names of previously removed extensions.
  • Windows 11 KB5064081 update clears up CPU usage metrics in Task Manager: Microsoft has released the KB5064081 preview cumulative update for Windows 11 24H2, which includes thirty-six new features or changes, with many gradually rolling out.
  • Microsoft fixes bug behind Windows certificate enrollment errors: Microsoft has resolved a known issue causing false CertificateServicesClient (CertEnroll) error messages after installing the July 2025 preview and subsequent Windows 11 24H2 updates.
  • WhatsApp patches vulnerability exploited in zero-day attacks: WhatsApp has patched a security vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-day attacks.
  • Microsoft to enforce MFA for Azure resource management in October: Starting in October, Microsoft will enforce multi-factor authentication (MFA) for all Azure resource management actions to protect Azure clients from unauthorized access attempts.
  • Microsoft says recent Windows update didn’t kill your SSD: Microsoft has found no link between the August 2025 KB5063878 security update and customer reports of failure and data corruption issues affecting solid-state drives (SSDs) and hard disk drives (HDDs).
  • Google warns Salesloft breach impacted some Workspace accounts: Google reports that the Salesloft Drift breach is larger than initially thought, warning that attackers also used stolen OAuth tokens to access Google Workspace email accounts in addition to Salesforce data.
  • US targets North Korean IT worker army with new sanctions: The U.S. Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals and two companies associated with North Korean IT worker schemes that operate at the expense of American organizations.
  • Google shares workarounds for auth failures on ChromeOS devices: Google is working to resolve authentication failures preventing users from signing into their Clever and ClassLink accounts on some ChromeOS devices.
  • Malware devs abuse Anthropic’s Claude AI to build ransomware: Anthropic’s Claude Code large language model has been abused by threat actors who used it in data extortion campaigns and to develop ransomware packages.
  • Microsoft Word will save your files to the cloud by default: Microsoft says that Word for Windows will soon enable autosave and automatically save all new documents to the cloud by default.
  • Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups: Many familiar faces made Flashpoint’s 2025 midyear ransomware report, as well as new gangs, which are increasingly using AI.
  • 🏴‍☠️ Qilin has just published a new victim : atlanta neighborhood charter school: Atlanta Neighborhood Charter School (ANCS) is a K-8 public charter school in Atlanta, recognized for its academic excellence and innovative programs. However, they could not make a program to protect their own students.
  • 🏴‍☠️ Safepay has just published a new victim : lipcare.de: Lipcare, operated by KHK GmbH in Germany, is a specialized manufacturer of natural and conventional cosmetics, with a particular focus …
  • 🏴‍☠️ Qilin has just published a new victim : allphaselandscape.net: All Phase Landscape, USA is a company engaged in landscaping, design, and service of green areas in parks, around administrative, office, and residential buildings.
  • 🏴‍☠️ Qilin has just published a new victim : ibew1547.org: IBEW Local 1547, USA – a union in Alaska that is supposed to provide safety and protect the rights of electric utility and communications workers, local officials, health care workers, and many other professionals.
  • 🏴‍☠️ Interlock has just published a new victim : Loyola College: Loyola College – is a large educational institution with thousands of students! Hundreds of employees! This college is very poorly protected in our reality, and therefore data was compromised!
  • 🏴‍☠️ Incransom has just published a new victim : www.sbdl.net: Purpose: To provide information and services to the residents of Sainte-Brigitte-de-Laval. Services: Environmental management, community engagement, recreational activities, public safety, and city planning.
  • 🏴‍☠️ Akira has just published a new victim : RMO: RMO Orthodontics is a leading manufacturer and supplier of innovative and high-quality orthodontic instruments and supplies. We are going to upload company data soon.
  • 🏴‍☠️ Blacknevas has just published a new victim : TOYOTA ASIA TOYOTA INDIA: Hello,I think your IT service hid from you information about the hacking of your corporate network and a data leak.I tell you the details:Your corporate network was checked for vulnerability and did not go through the check4TB data were pumped up…
  • 🏴‍☠️ Rhysida has just published a new victim : Firelands Scientific: Firelands Scientific