Ransomware Update – 2025-09-06

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for double extortion. The group specifies the volume and type of data stolen to pressure victims.
    • Targets: Indo-MIM (manufacturing) and Michigan Sugar (agriculture/food production).
    • Decryption Status: No decryption information available.
    • Source: Provided news feed (🏴‍☠️ Akira has just published a new victim…)

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public disclosure of victims.
    • Targets: Schuler Service Group (business services, Germany) and Monterey Mushrooms, LLC (agriculture, USA).
    • Decryption Status: No decryption information available.
    • Source: Provided news feed (🏴‍☠️ Incransom has just published a new victim…)

  • Obscura:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public disclosure of victims.
    • Targets: A diverse range of small to medium-sized businesses, including RelationMedia A/S (marketing, Denmark), The Fixing Company (construction, Ireland), multiple dental clinics, WZV Warndt (water utility, Germany), and MeamarGroup (real estate).
    • Decryption Status: No decryption information available.
    • Source: Provided news feed (🏴‍☠️ Obscura has just published a new victim…)

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public disclosure of victims.
    • Targets: Ekmanian Tax & Accounting (USA) and Osaki Medical (medical supplies, Japan).
    • Decryption Status: No decryption information available.
    • Source: Provided news feed (🏴‍☠️ Qilin has just published a new victim…)

  • Other Active Groups:

    • Attack Methods: Various other ransomware groups, including Killsec, Yurei, Rhysida, and Cicada3301, were also reported to have published new victims on their leak sites, indicating continued data theft and extortion operations.
    • Targets: Victims include MedicSolution+ (Killsec), Midcity Marketing (Yurei), Elite Trailers (Rhysida), and CI Engineering (Cicada3301), spanning industries from food distribution to manufacturing and engineering.
    • Decryption Status: No decryption information available.
    • Source: Provided news feed.

Observations and Further Recommendations

  • Ransomware activities remain high, with numerous groups actively targeting a wide and diverse range of industries globally, including business services, manufacturing, agriculture, healthcare, and utilities.
  • The dominant strategy continues to be double extortion, where attackers exfiltrate sensitive corporate and personal data before encryption and threaten to publish it on leak sites to coerce payment.
  • Groups like Akira are providing specific details about the stolen data (e.g., volume in GB, types of files) to increase pressure on their victims.
  • Organizations should prioritize robust security measures, including patching critical vulnerabilities (such as those identified in SAP and Sitecore), implementing multi-factor authentication (MFA), and maintaining secure, offline backups to mitigate the impact of an attack.

News Details

  • Malicious npm Packages Impersonate Flashbots, Steal Ethereum Wallet Keys: A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers. “The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher…
  • CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation: Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.
  • TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations: The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT. “Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group…
  • SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild: A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month.
  • Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries: The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.
  • GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module: Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks… led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module…
  • 🏴‍☠️ Incransom has just published a new victim : schuler-service-group.de: Schuler Service Group is a comprehensive service provider specializing in garden and landscape construction, with expertise dating back to 1956. They offer year-round green maintenance services in urban and industrial areas…
  • 🏴‍☠️ Akira has just published a new victim : Indo-MIM: Indo-MIM s a manufacturer and supplier of precision-engineered products using Metal Injection Molding. We are going to upload 13 GB of corporate documents. A huge number of employee personal files…
  • 🏴‍☠️ Akira has just published a new victim : Michigan Sugar: Founded in 1906 and headquartered in Bay City Michigan. Michigan Sugar manufactures granulated, powdered, liquid, and brown sugars. We are ready to upload more than 40GB files of essential corporate documents…
  • 🏴‍☠️ Rhysida has just published a new victim : Elite Trailers: Elite Trailers Elite Trailer MFG, LLC. specializes in the custom manufacturing of high-quality trailers, including horse, livestock, and specialty models.
  • 🏴‍☠️ Qilin has just published a new victim : Osaki Medical: Osaki Medical is a Japanese company, established in 1936, that manufactures and markets safe, functional, and cost-effective medical supplies, sanitary materials, cosmetics, and medical equipment for the medical and nursing care industries.
  • 🏴‍☠️ Cicada3301 has just published a new victim : CI Engineering: Status: 0d 23h 23m 40s – Size Data: 700 GB