Ransomware Update – 2025-09-23

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Unnamed Ransomware (European Airports Attack):

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: Supply chain attack targeting a third-party provider of check-in and boarding kiosk software.
    • Targets: Major European airports, resulting in significant flight delays and cancellations.
    • Decryption Status: No information available; the primary impact reported is operational disruption.
    • Source: Airport disruptions in Europe caused by a ransomware attack; Airport Chaos Shows Human Impact of 3rd-Party Attacks

  • Play Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication of victims on its leak site.
    • Targets: Numerous organizations primarily in the US, but also in Canada and New Zealand. Victims include Takeuchi US, DHM Properties, Vcinity, GrammaTech, and Agility CIS.
    • Decryption Status: No decryption information available.
    • Source: Ransomware Leak Site Notification

  • Sarcoma Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, claiming to have stolen several terabytes of data from victims.
    • Targets: Thermofin (Germany) and Miami Management (USA).
    • Decryption Status: No decryption information available.
    • Source: Ransomware Leak Site Notification

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, threatening to leak 25GB of sensitive corporate and client data.
    • Targets: Markowitz Ringel Trusty & Hartog, a law firm.
    • Decryption Status: No decryption information available.
    • Source: Ransomware Leak Site Notification

  • Other Active Ransomware Operations:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via leak site publications.
    • Targets: Various companies were claimed as victims by groups including Spacebears (Edro Real Estate, Batesky Law Office), Incransom (CPK Interior Products), Qilin (CEG Construction), Abyss (Optimum Design Associates), and Killsec (multiple entities).
    • Decryption Status: No decryption information available for these victims.
    • Source: Ransomware Leak Site Notification

Observations and Further Recommendations

  • Supply Chain Attacks Remain a Critical Threat: The major ransomware attack disrupting European airports was executed by compromising a third-party software provider, underscoring the significant risks posed by supply chain vulnerabilities.
  • High Volume of Ransomware Activity: Multiple ransomware groups, including Play, Sarcoma, Akira, and others, demonstrated high activity levels, listing numerous victims across diverse sectors such as manufacturing, real estate, legal, and technology.
  • Data Exfiltration is a Standard Tactic: All mentioned ransomware groups operate on a double-extortion model, exfiltrating large volumes of sensitive data (including PII, financial records, and confidential legal files) before encryption and threatening to publish it online.
  • Recommendations: Organizations should rigorously vet the security posture of third-party vendors, enforce multi-factor authentication (as recommended by GitHub to secure the npm ecosystem), and maintain robust, offline data backups to mitigate the impact of both data encryption and extortion tactics.

News Details

  • GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security: GitHub on Monday announced that it will be changing its authentication and publishing options “in the near future” in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack.
    This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA),
  • BadIIS Malware Spreads via SEO Poisoning — Redirects Traffic, Plants Web Shells: Cybersecurity researchers are calling attention to a search engine optimization (SEO) poisoning campaign likely undertaken by a Chinese-speaking threat actor using a malware called BadIIS in attacks targeting East and Southeast Asia, particularly with a focus on Vietnam.
    The activity, dubbed Operation Rewrite, is being tracked by Palo Alto Networks Unit 42 under the moniker CL-UNK-1037, where “
  • ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks: Organizations in Belarus, Kazakhstan, and Russia have emerged as the target of a phishing campaign undertaken by a previously undocumented hacking group called ComicForm since at least April 2025.
    The activity primarily targeted industrial, financial, tourism, biotechnology, research, and trade sectors, cybersecurity company F6 said in an analysis published last week.
    The attack chain involves
  • ⚡ Weekly Recap: Chrome 0-Day, AI Hacking Tools, DDR5 Bit-Flips, npm Worm & More: The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach.
    This week’s recap explores the trends driving that constant churn: how threat
  • How to Gain Control of AI Agents and Non-Human Identities: We hear this a lot:
    “We’ve got hundreds of service accounts and AI agents running in the background. We didn’t create most of them. We don’t know who owns them. How are we supposed to secure them?”
    Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks
  • Microsoft Patches Critical Entra ID Flaw Enabling Global Admin Impersonation Across Tenants: A critical token validation failure in Microsoft Entra ID (previously Azure Active Directory) could have allowed attackers to impersonate any user, including Global Administrators, across any tenant.
    The vulnerability, tracked as CVE-2025-55241, has been assigned the maximum CVSS score of 10.0. It has been described by Microsoft as a privilege escalation flaw in Azure Entra. There is no
  • NPM package caught using QR Code to fetch cookie-stealing malware: Newly discovered npm package ‘fezbox’ employs QR codes to hide a second-stage payload to steal cookies from a user’s web browser. The package, masquerading as a utility library, leverages this innovative steganographic technique to harvest sensitive data, such as user credentials, from a compromised machine. […]
  • Airport disruptions in Europe caused by a ransomware attack: The disruptions over the weekend at several major European airports were caused by a ransomware attack targeting the check-in and boarding systems. […]
  • American Archive of Public Broadcasting fixes bug exposing restricted media: ​A vulnerability in the American Archive of Public Broadcasting’s website allowed downloading of protected and private media for years, with the flaw quietly patched this month. […]
  • Automaker giant Stellantis confirms data breach after Salesforce hack: Automotive manufacturing giant Stellantis has confirmed that attackers stole some of its North American customers’ data after gaining access to a third-party service provider’s platform. […]
  • New EDR-Freeze tool uses Windows WER to suspend security software: A new method and proof-of-concept tool called EDR-Freeze demonstrates that evading security solutions is possible from user mode with Microsoft’s Windows Error Reporting (WER) system. […]
  • Microsoft lifts Windows 11 update block after face detection fix: Microsoft has removed a compatibility hold that prevented devices with integrated cameras from installing Windows 11 24H2 due to a face detection bug causing app freezes. […]
  • Mozilla now lets Firefox add-on devs roll back bad updates: Mozilla has announced a new feature that enables Firefox extension developers to roll back to previously approved versions, allowing them to quickly address critical bugs and issues. […]
  • LastPass: Fake password managers infect Mac users with malware: LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. […]
  • Why attackers are moving beyond email-based phishing attacks: Phishing isn’t just email anymore. Attackers now use social media, chat apps & malicious ads to steal credentials. Push Security explains the latest tactics and shows how to stop multi-channel phishing where it happens — inside the browser. […]
  • Microsoft says recent updates cause DRM video playback issues: Microsoft has confirmed a known issue that prevents some apps from playing Digital Rights Management (DRM) protected video content or displaying and recording live TV. […]
  • Verified Steam game steals streamer’s cancer treatment donations: A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named BlockBlasters that drained his cryptocurrency wallet. […]
  • Microsoft Entra ID flaw allowed hijacking any company’s tenant: A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world. […]
  • Volvo promises software improvements for buggy EX90 SUV: Volvo’s EX90 SUV was supposed to usher in a new era of electrified dominance for the Chinese-owned, Swedish designed automaker. Instead, the three-row SUV has been plagued by problems from the very start, including blank infotainment screens, faulty climate controls, driver assist failures, and the noticeable lack of a working lidar sensors.
    Now, the EX90 is getting a fresh coat of paint, and the automaker is promising a much improved experience.
  • Uber launches prepaid passes for frequent routes: Uber is still trying to chip away at the perception that its ridehailing service is too expensive by launching a new feature aimed at helping customers save money on frequently traveled routes.
    Today, the company is launching prepaid passes, in which customers can pay a discounted price in advance on frequently taken trips.
  • Microsoft’s Windows AI Lab is a new way to test experimental features: Microsoft is starting to test experimental AI-powered features through a new Windows AI Labs program. Some Windows testers spotted references to the Windows AI Labs program in pre-release updates to Microsoft Paint last week, and Microsoft has now confirmed to The Verge that the program is designed to provide early access to new AI features across Windows.
  • Tado’s new AI features will adaptively heat your home: Tado’s Auto Assist gets an AI update.
    Smart thermostat company Tado is launching new AI-powered features that aim to help users heat their homes more efficiently. Tado says the AI Assist update builds on the company’s existing Auto Assist options by introducing “advanced machine-learning” that “learns, predicts, and optimizes” heating in real time.
  • Here’s a first look at Kojima’s OD Xbox game: Hideo Kojima first announced he was teaming up with Xbox for a new game in 2022, before a teaser revealed the OD name and some cast last year. We’re now getting a better look at exactly what OD is, in a new three-minute teaser trailer that holds true to Kojima’s promise that the game will be unique and immersive.
  • Palworld is getting a farming spinoff: A screenshot of Palworld: Palfarm.
    Palworld won’t hit 1.0 until next year, but developer Pocketpair is already announcing a farming spinoff: Palworld: Palfarm.
    Basically, it sounds like the Palworld version of farming simulator games like Stardew Valley.
  • Trump escalates crackdown by designating ‘Antifa’ a domestic terror group: The Trump administration’s crackdown on perceived left-wing threats following the death of Charlie Kirk continued on Monday evening, with Donald Trump announcing an executive order titled “Designating Antifa as a Domestic Terrorist Organization.”
  • The AI-energy apocalypse might be a little overblown: Even if AI turns out not to be as much of an energy hog as people are making it out to be, it could still spell out trouble for power grids across the US.
    Tech companies are already burning through increasing amounts of electricity to train and run new AI models. And they’re asking for a lot more electricity as they try to outcompete each other.
  • The best iPhones: New iPhones for the AI era. | Image: Cath Virginia / The Verge
    If you’ve been holding off on getting a new iPhone, now’s the perfect time to size up your options. Apple recently launched its 2025 iPhone lineup, which includes the iPhone 17, 17 Pro, 17 Pro Max, and a brand-new model, the ultra-thin iPhone Air.
  • Steam game removed after cryptostealer takes over $150K: Steam has taken down a game containing malware that drained the cryptocurrency wallets belonging to hundreds of players, as reported earlier by Bleeping Computer. The free-to-play 2D platformer, titled BlockBlasters, took more than $150,000 from victims, including $32,000 from a streamer raising funds for their cancer treatment.
  • Iran-Linked Hackers Target Europe With New Malware: “Nimbus Manticore” is back at it, this time with improved variants of its flagship malware and targets that are outside its usual focus area.
  • Attackers Use Phony GitHub Pages to Deliver Mac Malware: Threat actors are using a large-scale SEO poisoning campaign and fake GitHub repositories to deliver Atomic infostealers to Mac users.
  • Airport Chaos Shows Human Impact of 3rd-Party Attacks: Major EU airports such as Heathrow were disrupted over the weekend after a cyberattack hit the provider of check-in kiosk software, which caused delays and flight cancellations.
  • 15 Years of Zero Trust: Why It Matters More Than Ever: With the emergence of AI-driven attacks and quantum computing, and the explosion of hyperconnected devices, zero trust remains a core strategy for security operations.
  • 🏴‍☠️ Sarcoma has just published a new victim : Thermofin: Thermofin
    Thermofin GmbH specializes in innovative and high-performance cooling solutions for various industries, including industrial refrigeration and air conditioning. Their product range includes evaporators, air coolers, heat pumps, and hybrid chillers, designed to cater to both commercial and industrial clients.
  • 🏴‍☠️ Spacebears has just published a new victim : Edro Real Estate: Real estate agency with extensive experience in construction, finance, and sales. Offers expertise in home construction and the financing process to guide buyers and sellers, available.- Database- Financial documents- Personal information of employees and clients https://edrorealestate.com/
  • 🏴‍☠️ Play has just published a new victim : Takeuchi US: United States
  • 🏴‍☠️ Play has just published a new victim : DHM Properties: United States
  • 🏴‍☠️ Play has just published a new victim : Vcinity: United States
  • 🏴‍☠️ Play has just published a new victim : GrammaTech: United States
  • 🏴‍☠️ Play has just published a new victim : APG: United States
  • 🏴‍☠️ Play has just published a new victim : Roth & Scholl: United States
  • 🏴‍☠️ Play has just published a new victim : New England Waterproofing: United States
  • 🏴‍☠️ Play has just published a new victim : Combined Services HVAC: United States
  • 🏴‍☠️ Play has just published a new victim : PTR: United States
  • 🏴‍☠️ Play has just published a new victim : Agility CIS: New Zealand
  • 🏴‍☠️ Play has just published a new victim : Hilldun: United States
  • 🏴‍☠️ Play has just published a new victim : Ronco Safety: Canada
  • 🏴‍☠️ Incransom has just published a new victim : CPK Interior: Cpk Interior Products, founded in 2010 and headquartered in Ontario, Canada, is a manufacturer of interior automotive components and products. The company specializes in producing high-quality parts for vehicle interiors, serving the automotive manufacturing industry with B2B solutions.
  • 🏴‍☠️ Akira has just published a new victim : Markowitz Ringel Trusty & Hartog: Markowitz Ringel Trusty & Hartog provide setvices as Restructurin\ng Insolvency, Litigation Dispute Resolution, Real Estate Bu\nsiness, Probate Guardianship, and Trust Estates.
    We are going to upload 25gb corporate data. Huge amount of employ\nees and clients information (full names, DOB, address, emails, ph\nones, SSNs, DLs, death/birth certs and so on), legal files (polic\ne reports, hearings protocols and other court confidential files)\n, financials, a bit of credit card information, NDAs, etc.
  • 🏴‍☠️ Qilin has just published a new victim : cegconstruction.com: CEG Construction is on a path to self-destruction. This company is an industrial contractor based in Southern California that specializes in the construction of concrete warehouses and food processing facilities. They offer comprehensive desi …
  • 🏴‍☠️ Killsec has just published a new victim : Rainwalk Technology: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Fractalite: N/A
  • 🏴‍☠️ Killsec has just published a new victim : BEHCA: N/A
  • 🏴‍☠️ Killsec has just published a new victim : VTK Legal: N/A
  • 🏴‍☠️ Killsec has just published a new victim : AX CAPITAL: N/A
  • 🏴‍☠️ Killsec has just published a new victim : FDB Collections: N/A
  • 🏴‍☠️ Killsec has just published a new victim : MortDash: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Scanbo: N/A
  • 🏴‍☠️ Killsec has just published a new victim : UwayApply: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Top4Fans: N/A
  • 🏴‍☠️ Killsec has just published a new victim : Cadorim: N/A
  • 🏴‍☠️ Abyss has just published a new victim : optimumdesign.com: Optimum Design Associates specializes in PCB design services, leveraging elite experience and proven methodologies to deliver high-quality electronic engineering solutions.
  • 🏴‍☠️ Spacebears has just published a new victim : Batesky Law Office (BLO): Attorney Richard Batesky has devoted nearly 30 years of his life to helping his clients receive compensation after a car accident, construction site accident, or personal injury due to another person’s negligence. At Batesky Law Office, we devote ourselves to discovering the best way to achieve a favorable outcome for all of our clients.
  • 🏴‍☠️ Sarcoma has just published a new victim : Miami Management: Miami Management
    Miami Management, Inc. is a full-service property management company serving the residential, condominium, high-rise, and commercial markets in South Florida. They offer customized management plans, fully licensed Community Association Managers, and a suite of services including financial reporting, vendor negotiation, and maintenance solutions.