Ransomware Update – 2025-09-02

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Multiple Ransomware Groups:
    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets:
      • Akira: Genmark Automation (US, Semiconductor Equipment), Automated Business Solutions (US, Office Equipment).
      • Blacknevas: SISTRAN Consultores (IT Services for Insurance).
      • Chaos: Ellison-Mills Contracting (US, Infrastructure).
      • Desolator: Construseñales S.A., LEVEL.
      • Dragonforce: Caprez Ingenieure AG (Switzerland, Engineering Services).
      • Incransom: TAK Communications, Inc (US, Telecommunications).
      • Lynx: Oakland Museum of California (US, Museum).
      • Play: Arboris, Juggernaut, Vanderpool Construction, All States Materials Group (All US-based).
      • Qilin: PathoQuest-Biotechnology Research (US/France, Biotechnology).
      • Safepay: BTH CPA (US, Accounting), The K Club (Ireland, Luxury Resort), USAI.io (US, AI), Wilson AT Law (US, Legal), Scott Schiff & Associates (US, Legal), M.D. Neal Engineering (US, Engineering), Umweltprofis (Austria, Environmental), Waterford Surgical Center (US, Healthcare), Oiwky.com (US, IT).
      • Sinobi: Pittsburgh Gastroenterology Associates (US, Healthcare).
      • Warlock: mffood.com, gmpc.com.
    • Decryption Status: No known public decryption tools are available.
    • Source: Victim announcements posted by the respective ransomware groups.

Observations and Further Recommendations

  • A wide array of ransomware groups including Safepay, Play, and Akira have been highly active, publicly naming numerous victims across diverse sectors like healthcare, technology, legal, and engineering. This indicates a broad and ongoing campaign targeting organizations of all types.
  • Beyond data encryption, threat actors are leveraging data exfiltration and public shaming as primary tactics to pressure victims into paying ransoms.
  • Other significant cyber threats are running parallel to ransomware campaigns. These include massive brute-force attacks targeting SSL VPN and RDP services, the use of vulnerable drivers to disable security software (BYOVD technique), and supply chain attacks where breaches at service providers like Salesloft have cascading effects on their customers.
  • It is crucial for organizations to secure all remote access points with strong passwords and multi-factor authentication (MFA). Regularly monitoring for anomalous login activity and maintaining a strict patch management policy are essential preventive measures.

News Details

  • Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices: Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736).
  • Silver Fox Exploits Microsoft-Signed WatchDog Driver to Deploy ValleyRAT Malware: The threat actor known as Silver Fox has been attributed to abuse of a previously unknown vulnerable driver associated with WatchDog Anti-malware as part of a Bring Your Own Vulnerable Driver (BYOVD) attack aimed at disarming security solutions installed on compromised hosts.
  • Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets: Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems. The package, named nodejs-smtp, impersonates the legitimate email library nodemailer.
  • Android Droppers Now Deliver SMS Stealers and Spyware, Not Just Banking Trojans: Cybersecurity researchers are calling attention to a new shift in the Android malware landscape where dropper apps, which are typically used to deliver banking trojans, to also distribute simpler malware such as SMS stealers and basic spyware. These campaigns are propagated via dropper apps masquerading as government or banking apps.
  • Zscaler data breach exposes customer info after Salesloft Drift compromise: Cybersecurity company Zscaler warns it suffered a data breach after threat actors gained access to its Salesforce instance and stole customer information, including the contents of support cases.
  • Amazon disrupts Russian APT29 hackers targeting Microsoft 365: Researchers have disrupted an operation attributed to Russian state-sponsored threat group Midnight Blizzard, who sought access to Microsoft 365 accounts and data.
  • Brokewell Android malware delivered through fake TradingView ads: Cybercriminals are abusing Meta’s advertising platforms with fake offers of a free TradingView Premium app that spreads the Brokewell malware for Android.
  • The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft: The recent mass-theft of authentication tokens from Salesloft… has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft.
  • 🏴‍☠️ Sinobi has just published a new victim : Pittsburgh Gastroenterology Associates: Pittsburgh Gastroenterology Associates specializes in the diagnosis and treatment of digestive health issues, focusing on diseases of the esophagus, stomach, intestines, liver, gallbladder, and pancreas.
  • 🏴‍☠️ Safepay has just published a new victim : bthcpa.com: BTH CPA is a professional accounting and advisory firm based in the United States, offering a full range of financial…
  • 🏴‍☠️ Safepay has just published a new victim : kclub.ie: The K Club is a luxury resort and golf destination located in County Kildare, Ireland. Known for its five-star accommodations,…
  • 🏴‍☠️ Chaos has just published a new victim : ellison-mills.com: Ellison-Mills Contracting is a family-oriented company specializing in wet utility and roadway infrastructure in Southern Arizona.
  • 🏴‍☠️ Blacknevas has just published a new victim : SISTRAN Consultores: The company specializes in providing IT services, software development, and consulting solutions, primarily focused on the insurance industry.
  • 🏴‍☠️ Incransom has just published a new victim : TAK Communications, Inc: TAK Communications, Inc. is a nationally recognized Cable Installation Contract Firm for the Cable TV and Telecommunications industry.
  • 🏴‍☠️ Dragonforce has just published a new victim : Caprez Ingenieure AG: Caprez Ingenieure AG provides structural, civil, bridge, water supply, sewage, snow-making, building maintenance, and special fields engineering services.
  • 🏴‍☠️ Akira has just published a new victim : Genmark Automation: Founded in 1985 and headquartered in California. Genmark Automation is a worldwide developer and manufacturer of tool and fab automation equipment solutions for the semiconductor, flat panel, solar, LED, data storage, and associated industries.
  • 🏴‍☠️ Akira has just published a new victim : Automated Business Solutions: Automated Business Solutions, Inc. is a designer and supplier of office equipments and comprehensive business solutions.
  • 🏴‍☠️ Lynx has just published a new victim : oakland-museum-of-california: Established in 1969, Oakland Museum of California provides collections, exhibitions, education programs and public dialogue. They are based in Oakland, California.
  • 🏴‍☠️ Qilin has just published a new victim : PathoQuest-Biotechnology Research: The company conducts research on innovative biopharmaceuticals under complex testing conditions on two continents. PathoQuest offers a proven next-generation sequencing (NGS) approach to biosafety…
  • 🏴‍☠️ Play has just published a new victim : All States Materials Group: United States