Ransomware Update – 2025-09-25

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Obscura Ransomware:

    • New Encrypted File Extension: Not specified in the provided text.
    • Attack Methods: Spreads from a victim’s compromised domain controller, indicating deployment after internal network compromise.
    • Targets: Corporate networks.
    • Decryption Status: No information available on decryption tools.
    • Source: Source URL not provided.

  • RTX Ransomware:

    • New Encrypted File Extension: Not specified in the provided text.
    • Attack Methods: Details of the attack method were not provided in the article.
    • Targets: European airports, causing significant disruptions.
    • Decryption Status: No information available on decryption tools; the news focuses on a law enforcement arrest.
    • Source: Source URL not provided.

Observations and Further Recommendations

  • The current news highlights both the emergence of new ransomware threats like Obscura and significant law enforcement action against established groups like RTX.
  • The Obscura variant’s distribution via a domain controller underscores the critical importance of securing core network infrastructure, such as Active Directory, to prevent widespread deployment.
  • The attack on European airports by the RTX group serves as a reminder that critical infrastructure remains a high-value target for ransomware operators.
  • Organizations should continue to prioritize robust security for internal servers, implement network segmentation, and maintain comprehensive incident response and backup plans.

News Details

  • Tech Overtakes Gaming as Top DDoS Attack Target, New Gcore Radar Report Finds: The latest Gcore Radar report analyzing attack data from Q1–Q2 2025, reveals a 41% year-on-year increase in total attack volume. The largest attack peaked at 2.2 Tbps, surpassing the 2 Tbps record in late 2024. Attacks are growing not only in scale but in sophistication, with longer durations, multi-layered strategies, and a shift in target industries.
  • Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed: Cybersecurity researchers have discovered two malicious Rust crates impersonating a legitimate library called fastlog to steal Solana and Ethereum wallet keys from source code. The crates, named fasterlog and async_println, were published by the threat actor under the alias rustguruman and dumbnbased on May 25, 2025, amassing 8,424 downloads in total.
  • Cisco Warns of Actively Exploited SNMP Vulnerability Allowing RCE or DoS in IOS Software: Cisco has warned of a high-severity security flaw in IOS Software and IOS XE Software that could allow a remote attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition under specific circumstances. The company said the vulnerability, CVE-2025-20352 (CVSS score: 7.7), has been exploited in the wild.
  • Chinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike: A suspected cyber espionage activity cluster that was previously found targeting global government and private sector organizations spanning Africa, Asia, North America, South America, and Oceania has been assessed to be a Chinese state-sponsored threat actor.
  • UNC5221 Uses BRICKSTORM Backdoor to Infiltrate U.S. Legal and Technology Sectors: Companies in the legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. have been targeted by a suspected China-nexus cyber espionage group to deliver a known backdoor referred to as BRICKSTORM.
  • Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models: Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks.
  • How One Bad Password Ended a 158-Year-Old Business: Most businesses don’t make it past their fifth birthday – studies show that roughly 50% of small businesses fail within the first five years. So when KNP Logistics Group (formerly Knights of Old) celebrated more than a century and a half of operations, it had mastered the art of survival.
  • New YiBackdoor Malware Shares Major Code Overlaps with IcedID and Latrodectus: Cybersecurity researchers have disclosed details of a new malware family dubbed YiBackdoor that has been found to share “significant” source code overlaps with IcedID and Latrodectus.
  • iframe Security Exposed: The Blind Spot Fueling Payment Skimmer Attacks: Think payment iframes are secure by design? Think again. Sophisticated attackers have quietly evolved malicious overlay techniques to exploit checkout pages and steal credit card data by bypassing the very security policies designed to stop them.
  • Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials: Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
  • State-Sponsored Hackers Exploiting Libraesva Email Security Gateway Vulnerability: Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1.
  • Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security: Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image.
  • Eurojust Arrests 5 in €100M Cryptocurrency Investment Fraud Spanning 23 Countries: Law enforcement authorities in Europe have arrested five suspects in connection with an “elaborate” online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain.
  • New Supermicro BMC flaws can create persistent backdoors: Two vulnerabilities affecting the firmware of Supermicro hardware, including Baseboard Management Controller (BMC) allow attackers to update systems with maliciously crafted images.
  • OpenAI is testing a new GPT-5-based AI agent “GPT-Alpha”: OpenAI is internally testing a new version of its AI agent, which uses a special version of GPT-5 dubbed “GPT-Alpha.”
  • Kali Linux 2025.3 released with 10 new tools, Wi-Fi enhancements: Kali Linux has released version 2025.3, the third version of 2025, featuring ten new tools, Nexmon support, and NetHunter improvements.
  • Cisco warns of IOS zero-day vulnerability exploited in attacks: Cisco has released security updates to address a high-severity zero-day vulnerability in Cisco IOS and IOS XE Software that is currently being exploited in attacks.
  • Unpatched flaw in OnePlus phones lets rogue apps text messages: A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction.
  • Police seizes $439 million stolen by cybercrime rings worldwide: In a five-month joint operation led by Interpol, law enforcement agencies have seized more than $439 million in cash and cryptocurrency linked to cyber-enabled financial crimes that impacted thousands of victims worldwide.
  • Obscura, an obscure new ransomware variant: Huntress analysts discovered a previously unseen ransomware variant, Obscura, spreading from a victim company’s domain controller. Learn how Obscura works—and what it means for defenders—in this week’s Tradecraft Tuesday.
  • Google: Brickstorm malware used to steal U.S. orgs’ data for over a year: Suspected Chinese hackers have used the Brickstorm malware in long-term persistence espionage operations against U.S. organizations in the technology and legal sectors.
  • UK arrests suspect for RTX ransomware attack causing airport disruptions: The UK’s National Crime Agency has arrested a suspect linked to a ransomware attack that is causing widespread disruptions across European airports.
  • PyPI urges users to reset credentials after new phishing attacks: The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials.
  • GitHub notifications abused to impersonate Y Combinator for crypto theft: A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.
  • Boyd Gaming discloses data breach after suffering a cyberattack: US gaming and casino operator Boyd Gaming Corporation disclosed it suffered a breach after threat actors gained access to its systems and stole data, including employee information and data belonging to a limited number of other individuals.
  • CISA: Attackers Breach Federal Agency via Critical GeoServer Flaw: Threat actors exploited CVE-2024-36401 less than two weeks after it was initially disclosed and used it to gain access to a large federal civilian executive branch (FCEB) agency that uses the geospatial mapping data.
  • The Fall of Scattered Spider? Teen Member Surrenders Amid Group’s Shutdown Claims: The cybercrime group continues to gain attention despite its apparent shutdown last week.
  • Russia Targets Moldovan Election in Disinformation Play: Researchers have tracked a Russian disinformation campaign against upcoming Moldovan elections, linking it to a previous campaign that began in 2022.
  • Threat Actor Deploys ‘OVERSTEP’ Backdoor in Ongoing SonicWall SMA Attacks: Hackers tracked as UNC6148 are attacking SonicWall security devices by installing hidden software, allowing them to control systems, steal passwords, and hide their activities.
  • Npm Package Hides Malware in Steganographic QR Codes: The poisoned package, purporting to be a JavaScript utility, threatens the software supply chain with a highly obsfuscated credential stealer.
  • Chinese APT Uses OSS & PoCs to Spy on Other Countries: “RedNovember” is both lazy and punctual: always quick to do its homework on new vulnerabilities, but always getting the answers from cyber defenders.
  • As Incidents Rise, Japanese Government’s Cybersecurity Falls Short: The Japanese government suffered the most cybersecurity incidents in 2024 — 447, nearly double the previous year — while failing to manage 16% of critical systems.
  • GitHub Aims to Secure Supply Chain as NPM Hacks Ramp Up: GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.
  • Exposed Docker Daemons Fuel DDoS Botnet: The for-hire platform leverages legitimate cloud-native tools to make detection and disruption harder for defenders and SOC analysts.
  • Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms: U.S. prosecutors last week levied criminal hacking charges against 19-year-old U.K. national Thalha Jubair for allegedly being a core member of Scattered Spider, a prolific cybercrime group blamed for extorting at least $115 million in ransom payments from victims.