Ransomware Update – 2025-09-17

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Yurei Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Utilizes a modified version of the Prince-Ransomware binary to encrypt data and extort victims.
    • Targets: General organizations; has claimed its first victims.
    • Decryption Status: Partial data recovery is possible due to a flaw in the malware, but the extortion threat remains.
    • Source: Dark Reading (Emerging Yurei Ransomware Claims First Victims)

  • HybridPetya Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A Petya/NotPetya-like wiper designed to target UEFI-based systems and bypass the Secure Boot protection mechanism.
    • Targets: UEFI-based computer systems.
    • Decryption Status: No known decryption method mentioned; likely destructive.
    • Source: Dark Reading (‘HybridPetya’ Ransomware Bypasses Secure Boot)

  • KillSec Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Breached systems and stole sensitive patient data, indicating a data exfiltration and encryption attack.
    • Targets: A major Brazilian healthcare software provider, impacting the healthcare technology supply chain.
    • Decryption Status: No known method mentioned.
    • Source: Dark Reading (KillSec Ransomware Hits Brazilian Healthcare Software Provider)

  • Jaguar Land Rover Cyberattack:

    • Ransomware Name / or Prominent Details if No Name: A devastating, unnamed cyberattack causing significant operational disruption, characteristic of ransomware.
    • New Encrypted File Extension: Not applicable / unknown.
    • Attack Methods: The attack impacted IT systems, forcing a halt to production.
    • Targets: Jaguar Land Rover (automotive industry).
    • Decryption Status: Not specified; the company has extended its production shutdown for a second week.
    • Source: BleepingComputer (Jaguar Land Rover extends shutdown after cyberattack by another week)

Observations and Further Recommendations

  • Several new and updated ransomware variants, including Yurei and HybridPetya, are actively being deployed with sophisticated techniques like bypassing Secure Boot.
  • The healthcare sector continues to be a high-value target, as demonstrated by the KillSec attack on a Brazilian healthcare technology provider, which has supply chain implications.
  • Major industrial operations remain at risk, with the attack on Jaguar Land Rover causing a prolonged production shutdown, highlighting the severe business impact of such incidents.
  • Numerous ransomware groups (including Qilin, Sarcoma, Incransom, Play, and others) are actively publishing victims on their leak sites, indicating a high volume of ongoing attacks across various industries worldwide.
  • Phishing and supply chain attacks remain prevalent initial access methods. The FileFix campaign using steganography to deliver stealers and the self-replicating worm in npm packages are examples of threats that can precede a ransomware infection.
  • Organizations should prioritize robust security measures, including endpoint detection and response (EDR), regular system patching, multi-factor authentication (MFA), and comprehensive employee training on identifying phishing attempts.

News Details

  • Rethinking AI Data Security: A Buyer’s Guide: Generative AI has gone from a curiosity to a cornerstone of enterprise productivity in just a few short years. From copilots embedded in office suites to dedicated large language model (LLM) platforms, employees now rely on these tools to code, analyze, draft, and decide. But for CISOs and security architects, the very speed of adoption has created a paradox: the more powerful the tools, the
  • Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims: Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going “dark.” Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. This is supported by an increase in lookalike domains
  • DOJ Resentences BreachForums Founder to 3 Years for Cybercrime and Possession of CSAM: The U.S. Department of Justice (DoJ) on Tuesday resentenced the former administrator of BreachForums to three years in prison in connection with his role in running the cybercrime forum and possessing child sexual abuse material (CSAM). Conor Brian Fitzpatrick (aka Pompompurin), 22, of Peekskill, New York, pleaded guilty to one count of access device conspiracy, one count of access device
  • RaccoonO365 Phishing Network Dismantled as Microsoft, Cloudflare Take Down 338 Domains: Microsoft’s Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that was behind a phishing-as-a-service (Phaas) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024.
  • Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover: Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. “Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform’s fault injections (such as shutting down pods or disrupting network communications), and perform
  • SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids: A massive ad fraud and click fraud operation dubbed SlopAds ran a cluster of 224 apps, collectively attracting 38 million downloads across 228 countries and territories. “These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks,” HUMAN’s Satori Threat Intelligence and
  • New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site: Cybersecurity researchers have warned of a new campaign that’s leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. “The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection,” Acronis security researcher Eliad
  • Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack: Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild. The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.
  • Securing the Agentic Era: Introducing Astrix’s AI Agent Control Plane: AI agents are rapidly becoming a core part of the enterprise, being embedded across enterprise workflows, operating with autonomy, and making decisions about which systems to access and how to use them. But as agents grow in power and autonomy, so do the risks and threats.
  • Phoenix RowHammer Attack Bypasses Advanced DDR5 Memory Protections in 109 Seconds: A team of academics from ETH Zürich and Google has discovered a new variant of a RowHammer attack targeting Double Data Rate 5 (DDR5) memory chips from South Korean semiconductor vendor SK Hynix. The RowHammer attack variant, codenamed Phoenix (CVE-2025-6202, CVSS score: 7.1), is capable of bypassing sophisticated protection mechanisms put in place to resist the attack.
  • Self-Replicating Worm Hits 180+ npm Packages to Steal Credentials in Latest Supply Chain Attack: Cybersecurity researchers have flagged a fresh software supply chain attack targeting the npm registry that has affected more than 40 packages that belong to multiple maintainers. “The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling
  • Mustang Panda Deploys SnakeDisk USB Worm to Deliver Yokai Backdoor on Thailand IPs: The China-aligned threat actor known as Mustang Panda has been observed using an updated version of a backdoor called TONESHELL and a previously undocumented USB worm called SnakeDisk. “The worm only executes on devices with Thailand-based IP addresses and drops the Yokai backdoor,” IBM X-Force researchers Golo Mühr and Joshua Chung said in an analysis published last week.
  • BreachForums hacking forum admin resentenced to three years in prison: Conor Brian Fitzpatrick, the 22-year-old behind the notorious BreachForums hacking forum, was resentenced today to three years in prison after a federal appeals court overturned his prior sentence of time served and 20 years of supervised release.
  • Microsoft rolls out Copilot Chat to Microsoft 365 Office apps: ​Microsoft is rolling out Copilot Chat to Word, Excel, PowerPoint, Outlook, and OneNote for paying Microsoft 365 business customers.
  • Google nukes 224 Android malware apps behind massive ad fraud campaign: A massive Android ad fraud operation dubbed “SlopAds” was disrupted after 224 malicious applications on Google Play were used to generate 2.3 billion ad requests per day.
  • Self-propagating supply chain attack hits 187 npm packages: Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed ‘Shai-Hulud’ started yesterday with the compromise of the @ctrl/tinycolor npm package, and has now expanded to CrowdStrike’s npm namespace.
  • Microsoft: WMIC will be removed after Windows 11 25H2 upgrade: Microsoft has announced that the Windows Management Instrumentation Command-line (WMIC) tool will be removed after upgrading to Windows 11 25H2 and later.
  • Jaguar Land Rover extends shutdown after cyberattack by another week: Jaguar Land Rover (JLR) announced today that it will extend the production shutdown for another week, following a devastating cyberattack that impacted its systems at the end of August.
  • Apple backports zero-day patches to older iPhones and iPads: ​Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in “extremely sophisticated” attacks.
  • New FileFix attack uses steganography to drop StealC malware: A newly discovered FileFix social engineering attack impersonates Meta account suspension warnings to trick users into unknowingly installing the StealC infostealer malware.
  • Emerging Yurei Ransomware Claims First Victims: The cybercrime group, named after Japanese ghosts but believed to be from Morocco, uses a modified version of the Prince-Ransomware binary that includes a flaw allowing for partial data recovery. However, an extortion threat remains.
  • ‘HybridPetya’ Ransomware Bypasses Secure Boot: The malware, which has traits of Petya ransomware and the infamous NotPetya wiper, is designed to target UEFI-based systems, according to researchers.
  • KillSec Ransomware Hits Brazilian Healthcare Software Provider: The ransomware gang breached a “major element” of the healthcare technology supply chain and stole sensitive patient data, according to researchers.
  • FBI Warns of Threat Actors Hitting Salesforce Customers: The FBI’s IC3 recently warned of two threat actors, UNC6040 and UNC6395, targeting Salesforce customers, separately and in tandem.
  • North Korean Group Targets South With Military ID Deepfakes: The North Korea-linked group Kimsuky used ChatGPT to create deepfakes of military ID documents in an attempt to compromise South Korean targets.
  • Self-Replicating ‘Shai-hulud’ Worm Targets NPM Packages: The newly emerged worm has spread across hundreds of open source software packages, stealing credentials and infecting other components without much direct attacker input.
  • Innovative FileFix Phishing Attack Proves Plenty Potent: Highly deceptive FileFix uses code obfuscation and steganography and has been translated into at least 16 languages to power a global campaign.
  • 🏴‍☠️ Qilin has just published a new victim : Pieffe Auto Group: Pieffe Auto Group is a leading multi-brand automotive dealership network based in the Abruzzo region of Italy.
  • 🏴‍☠️ Sarcoma has just published a new victim : IAD GmbH: In addition to our traditional training and certification services, you can also take advantage of other services: from our in-house Pearson VUE test centers in Erfurt, Jena, Leipzig, Marburg, and Nordhausen…
  • 🏴‍☠️ Incransom has just published a new victim : Humax Holdings: We hacked Humax Holdings. […] We have at our disposal fiscal data, internal mail, data of all employees of the company, as well as strategic development plans.