Ransomware Update – 2025-09-21

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, claiming to have stolen 5.7TB of data.
    • Targets: Government and law enforcement agencies (Pennsylvania Office of Attorney General).
    • Decryption Status: No known public decryptor. The focus is on the data leak.
    • Source: Source not provided in input.

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and public shaming of victims on their leak site.
    • Targets: A diverse range of industries, including Food (Goodcents), Utilities (NV ELMAR), Real Estate (Promociones Luis Barros), and Finance (EUM Asset Management).
    • Decryption Status: No known public decryptor.
    • Source: Source not provided in input.

  • Blackshrantac:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion targeting industrial companies.
    • Targets: Manufacturing and engineering sectors (Altaş in Turkey, Klingelnberg in India).
    • Decryption Status: No known public decryptor.
    • Source: Source not provided in input.

  • Embargo:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data breach and extortion, with a claim of exfiltrating 2TB of sensitive data.
    • Targets: Industrial services (USA DeBusk).
    • Decryption Status: No known public decryptor.
    • Source: Source not provided in input.

  • Play:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Manufacturing sector (United Machine in the U.S.).
    • Decryption Status: No known public decryptor.
    • Source: Source not provided in input.

  • Anubis:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration, specifically targeting sensitive government-related documents.
    • Targets: Government contractors (Alan Shintani, Inc).
    • Decryption Status: No known public decryptor.
    • Source: Source not provided in input.

  • MalTerminal (New Malware Capability):

    • New Encrypted File Extension: Not applicable (it is a malware generation tool).
    • Attack Methods: Utilizes Large Language Models (LLMs) like GPT-4 to dynamically create malicious code, including ransomware and reverse shells.
    • Targets: General; represents a new method for creating threats rather than a specific campaign.
    • Decryption Status: Not applicable, as it depends on the ransomware it generates.
    • Source: Source not provided in input.

Observations and Further Recommendations

  • Ransomware groups continue to actively target a wide array of sectors globally, including critical infrastructure, government, finance, and manufacturing. The primary tactic observed is data exfiltration followed by extortion, threatening to leak sensitive information.
  • A notable development is the discovery of “MalTerminal,” a malware that uses AI (GPT-4) to create other malicious tools. This could lower the technical barrier for cybercriminals to develop and deploy new, customized ransomware strains, signaling a potential shift in threat creation.
  • Organizations should continue to prioritize foundational cybersecurity practices: maintain offline backups, implement multi-factor authentication, segment networks to limit lateral movement, and conduct regular security awareness training for employees. The rise of AI-generated malware underscores the need for advanced, behavior-based threat detection systems.

News Details

  • DPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams: Threat actors with ties to the Democratic People’s Republic of Korea (aka DPRK or North Korea) have been observed leveraging ClickFix-style lures to deliver a known malware called BeaverTail and InvisibleFerret. “The threat actor used ClickFix lures to target marketing and trader roles in cryptocurrency and retail sector organizations rather than targeting software development roles,” GitLab
  • LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer: LastPass is warning of an ongoing, widespread information stealer campaign targeting Apple macOS users through fake GitHub repositories that distribute malware-laced programs masquerading as legitimate tools. “In the case of LastPass, the fraudulent repositories redirected potential victims to a repository that downloads the Atomic infostealer malware,” researchers Alex Cox, Mike Kosak, and
  • Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell: Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware that bakes in Large Language Model (LLM) capabilities. The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. The findings were presented at the LABScon 2025 security conference.
  • ShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent: Cybersecurity researchers have disclosed a zero-click flaw in OpenAI ChatGPT’s Deep Research agent that could allow an attacker to leak sensitive Gmail inbox data with a single crafted email without any user action. The new class of attack has been codenamed ShadowLeak by Radware.
  • Canada dismantles TradeOgre exchange, seizes $40 million in crypto: The Royal Canadian Mounted Police has shut down the TradeOgre cryptocurrency exchange and seized more than $40 million believed to originate from criminal activities. […]
  • Microsoft starts rolling out Gaming Copilot on Windows 11 PCs: Microsoft has begun rolling out the beta version of its AI-powered Gaming Copilot to Windows 11 systems for users aged 18 or older, excluding those in mainland China. […]
  • Why PlayStation and Xbox are no longer about the station or the box: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on the intersection of gaming and technology, follow Sean Hollister. The Stepback arrives in our subscribers’ inboxes at 8AM ET. Opt in for The Stepback here.
  • The best smart glasses got a little better: Hi, friends! Welcome to Installer No. 98, your guide to the best and Verge-iest stuff in the world. (If you’re new here, welcome, please tell me if you bought an orange iPhone, and also you can read all the old editions at the Installer homepage.)
  • Amazon, Google, and Microsoft warn employees to rush back to the US: With new restrictions and fees on work visas in the US set to take effect at midnight tonight, it’s no surprise that many employers are advising workers abroad to return to the US. Leaked memos from Google, Amazon, and Microsoft have been circulating on social media that instruct instruct any H-1B visa holders currently traveling to immediately make travel arrangements to land in the US before 12AM ET on Sunday September 21st.
  • Trump announces skilled worker visas will now cost $100,000: All the fawning by tech CEOs wasn’t enough to convince Donald Trump to back off his crusade against immigrants. Yesterday the president announced that the government would be adding a $100,000-a-year fee on all H-1B visas in an effort to discourage their use.
  • Prime members can get three months of Kindle Unlimited for free: A three-month Kindle Unlimited subscription is free for Amazon Prime members right now. A cool new perk recently became available for Prime members: for a limited time, you can get a three-month subscription to Kindle Unlimited.
  • The wafer-thin iPhone Air is surprisingly strong: You’d be forgiven for assuming the iPhone Air would snap like a twig under pressure. It’s almost impossibly thin at just 5.6mm. But, its titanium frame is not only stronger than aluminum, it’s also more elastic.
  • Republicans’ political purge is just getting started: Barely over a week after right-wing activist Charlie Kirk’s public killing at a Utah campus, speech attacks in the name of the self-proclaimed free speech advocate are piling up.
  • The US government is taking a second stab at breaking up Google: Starting Monday, the US government will get another crack at convincing a federal judge to break up Google, after a different judge decided to keep it intact despite finding it to be a monopolist.
  • Henry Halfhead is full of heart: In Henry Halfhead, you play through the life of a person named Henry. But there are a couple twists. Henry is only half of a head – just eyes, ears, nose, and the top of their head – meaning they move around by sliding on the floor and jumping up and down.
  • An ICE raid at an EV factory raises fears about US instability: A banner depicting an Immigration and Customs Enforcement (ICE) officer masquerading as President Donald Trump is held up in a crowd as South Korean workers, detained in an ICE raid at Hyundai’s Georgia EV plant, are expected to return.
  • Patch Now: Max-Severity Fortra GoAnywhere Bug Allows Command Injection: Exploitation of the flaw, tracked as CVE-2025-10035, is highly dependent on whether systems are exposed to the Internet, according to Fortra.
  • Capture the Flag Competition Leads to Cybersecurity Career: As Splunk celebrates the 10th anniversary of Boss of the SOC competition, it continues to be a valuable platform for security professionals to test their skills, learn new techniques, and potentially advance their careers in cybersecurity.
  • ‘ShadowLeak’ ChatGPT Attack Allows Hackers to Invisibly Steal Emails: The loophole allows cyberattackers to exfiltrate company data via OpenAI’s infrastructure, leaving no trace at all on enterprise systems.
  • 🏴‍☠️ Incransom has just published a new victim : Pennsylvania Office of Attorney General: Pennsylvania Office of Attorney General is a law enforcement official that protects and serves the agencies of the Commonwealth and citizens of Harrisburg, Pennsylvania. 5.7TB data leak, access to internal network of FBI and more…
  • 🏴‍☠️ Qilin has just published a new victim : goodcents.com: Goodcents, USA – Cheap food outlets are part of Custom Foods Inc., a company that produces frozen dough. The company manufactures a wide range of products, including dough for pizza, bread, cookies, and much more.
  • 🏴‍☠️ Qilin has just published a new victim : NV ELMAR: A blackout in Aruba is only a matter of time. The incompetence and unprofessionalism of NV ELMAR managers — the only electricity supplier on the island — could send the entire island back to the Stone Age.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Altaş: [AI generated] Altaş is a Turkey-based company that specializes in the production and export of automotive spare parts and components. The company offers a wide range of products, including parts for commercial and passenger vehicles, agricultural machinery and industrial equipment.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Klinglnberg india pvt ltd: [AI generated] Klingelnberg India Pvt Ltd is a subsidiary of the global engineering company Klingelnberg Group. Located in India, the company specializes in the development and manufacture of precision technology, providing different industries with gear technology, gear tools, and automation systems.
  • 🏴‍☠️ Embargo has just published a new victim : usadebusk.com: USA DeBusk provides a comprehensive suite of industrial cleaning and infrastructure maintenance services to a diverse, blue-chip customer base across a broad r… – 2 TB including Contracts, Client Data, Employee Private Data, Incident Reports, and more
  • 🏴‍☠️ Qilin has just published a new victim : Promociones Luis Barros: Promociones Luis Barros is a Galician family firm specializing in the construction and promotion of luxury residences in southern Pontevedra.
  • 🏴‍☠️ Play has just published a new victim : United Machine: United States
  • 🏴‍☠️ Anubis has just published a new victim : Alan Shintani, Inc: Photos and blueprints of government facilities.
  • 🏴‍☠️ Qilin has just published a new victim : EUM Asset Management: EUM Asset Management, Korean Leak2. Company claims that customer trust is their top priority. Well, they have lost that trust. The Seoul-based asset management company focuses primarily on private equity funds.