Ransomware Update – 2025-09-11

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Actively exploiting flaws and misconfigurations in SonicWall SSL VPN appliances for initial access into corporate networks.
    • Targets: Organizations using vulnerable SonicWall devices. Recently announced victims include companies in architectural woodwork, transport/trucking, homebuilding, and food distribution.
    • Decryption Status: No known decryption method mentioned.
    • Source: [SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers]

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Diverse corporate entities, including a healthcare investment firm (Deerfield), a genomics lab (Singular Genomics), and an industrial automation company (transnova-ruf.de). The group claims to have exfiltrated 20TB of data from the genomics lab.
    • Decryption Status: No known decryption method mentioned.
    • Source: [🏴‍☠️ Incransom has just published a new victim : deerfield.com / singulargenomics.com]

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Various industries, including a data storage and protection company (Spectra Logic), a security firm (Ekotrade), and a fruit and vegetable wholesaler (Wouters France).
    • Decryption Status: No known decryption method mentioned.
    • Source: [🏴‍☠️ Qilin has just published a new victim : Spectra Logic]

  • Multiple Other Active Groups (Daixin, Play, Rhysida, etc.):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Numerous ransomware groups including Daixin, Play, Rhysida, Lynx, and Abyss have announced a steady stream of new victims across a wide range of sectors like behavioral health, insurance, art, real estate, transportation, and various US-based manufacturing and engineering firms.
    • Decryption Status: No known decryption methods mentioned.
    • Source: [Various ransomware victim announcements]

Observations and Further Recommendations

  • Ransomware groups like Akira are actively exploiting known vulnerabilities in common internet-facing devices, such as SonicWall SSL VPNs, for initial access. This highlights the critical importance of timely patching and security configuration management.
  • A wide variety of industries continue to be targeted, including healthcare, finance, manufacturing, technology, logistics, and professional services, indicating that no sector is immune to these attacks.
  • To mitigate risks, organizations should prioritize securing their network perimeter, enforce strong multi-factor authentication (MFA) across all services, and maintain regular, tested, and isolated backups of critical data.

News Details

  • Cracking the Boardroom Code: Helping CISOs Speak the Language of Business: CISOs know their field. They understand the threat landscape. They understand how to build a strong and cost-effective security stack. They understand how to staff out their organization. They understand the intricacies of compliance. They understand what it takes to reduce risk.
  • SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers: Threat actors affiliated with the Akira ransomware group have continued to target SonicWall devices for initial access. Cybersecurity firm Rapid7 said it observed a spike in intrusions involving SonicWall appliances over the past month, particularly following reports about renewed Akira ransomware activity since late July 2025.
  • Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts: Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake “Meta Verified” browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles.
  • AsyncRAT Exploits ConnectWise ScreenConnect to Steal Credentials and Crypto: Cybersecurity researchers have disclosed details of a new campaign that leverages ConnectWise ScreenConnect, a legitimate Remote Monitoring and Management (RMM) software, to deliver a fleshless loader that drops a remote access trojan (RAT) called AsyncRAT to steal sensitive data from compromised hosts.
  • Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military Systems: An advanced persistent threat (APT) group from China has been attributed to the compromise of a Philippines-based military company using a previously undocumented fileless malware framework called EggStreme.
  • CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems: Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems.
  • Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs: Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.
  • Watch Out for Salty2FA: New Phishing Kit Targeting US and EU Enterprises: Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.
  • China-Linked APT41 Hackers Target U.S. Trade Officials Amid 2025 Negotiations: The House Select Committee on China has formally issued an advisory warning of an “ongoing” series of highly targeted cyber espionage campaigns linked to the People’s Republic of China (PRC) amid contentious U.S.–China trade talks.
  • Adobe Commerce Flaw CVE-2025-54236 Lets Hackers Take Over Customer Accounts: Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.
  • Jaguar Land Rover confirms data theft after recent cyberattack: Jaguar Land Rover (JLR) confirmed today that attackers also stole “some data” during a recent cyberattack that forced it to shut down systems and instruct staff not to report to work.
  • Russian APT Attacks Kazakhstan’s Largest Oil Company: Researchers say a likely Russian APT used a compromised employee email account to attack Kazakhstan’s biggest company, though the oil and gas firm claims it was a pen test.
  • 🏴‍☠️ Killsec has just published a new victim : BlockBets Casino: N/A
  • 🏴‍☠️ Daixin has just published a new victim : SGS Co: Brand design and packaging solutions agency.
  • 🏴‍☠️ Daixin has just published a new victim : Communicare Inc.: Communicare, Inc. has been a premier provider of behavioral health services in Kentucky’s heartland since 1967.
  • 🏴‍☠️ Daixin has just published a new victim : Insurance Office of America: Insurance Office of America (IOA) is a premier, full-service insurance agency dedicated to delivering bespoke insurance solutions since 1988. We’re one of the USA’s fastest-growing agencies.
  • 🏴‍☠️ Daixin has just published a new victim : Gagosian: Established by Larry Gagosian in Los Angeles in 1980, Gagosian is a global gallery specializing in modern and contemporary art that employs more than three hundred people at eighteen exhibition spaces across the United States, Europe, and Asia.
  • 🏴‍☠️ Abyss has just published a new victim : moinian.com: Founded in 1982, The Moinian Group is a privately held real estate investment company focusing in New York City commercial, residential, and hospitality properties.
  • 🏴‍☠️ Incransom has just published a new victim : deerfield.com / singulargenomics.com: Deerfield Management (“Deerfield”) is an American investment firm headquartered in New York City. It is focused on making public and private investments in the healthcare and biotechnology industries. … We hacked and compromised one of the many laboratories belonging to Deerfield: www.singulargenomics.com … We downloaded about 20 TERABYTES of data from servers and Amazon storage.
  • 🏴‍☠️ Lynx has just published a new victim : Encore Leisure Group: Encore Leisure Group
  • 🏴‍☠️ Incransom has just published a new victim : transnova-ruf.de: Transnova-Ruf GmbH from Ansbach develops and builds machines with around 300 employees for the automation of end-of-line packaging and palletizing processes. We have 600GB of files at our disposal: mail, financial documents, customer contracts, confidential information.
  • 🏴‍☠️ Qilin has just published a new victim : Spectra Logic: Spectra Logic, USA – data protection and storage company LMAOOOAHHAHA I’m dead!!! Sorry, but this is really funny. PROTECTION! STORAGE! DATA!!!! On our blog, yes.
  • 🏴‍☠️ Akira has just published a new victim : Commercial Casework: Commercial Casework Inc. has been a leading provider of custom architectural woodwork and cabinetry in Northern California since 1976… We are going to upload 12GB of corporate data. A lot of hr data, medical information, accounting files, payment details, client information, project information, etc.
  • 🏴‍☠️ Akira has just published a new victim : Venezia: Venezia, headquartered in Limerick, PA, provides high quality transport & trucking services for the Liquid, Dry Bulk & Specialty commodities transportation industry to 48 states and Canada. We are going to upload 35GB of corporate data.
  • Microsoft Patch Tuesday, September 2025 Edition: Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label.