Ransomware Update – 2025-09-26

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public shaming on their leak site to extort victims.
    • Targets: A wide range of industries including asset management (Podo Asset Management, HUB ASSET MANAGEMENT, Trustar Capital, Summit Asset Management), manufacturing (XC Associates, regalmold.com, smpeurope.com), real estate (oconnorcp.com), municipal government (Town of Waxhaw, NC), architecture/infrastructure (sperispa.com), and food production (grupobocel.com). Also targeted healthcare services (halemakua.org) and office supply distribution (officepro.cl).
    • Decryption Status: No free decryption tool available; recovery requires paying the ransom or using backups.
    • Source: Ransomware leak site monitoring.

  • Spacebears:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, threatening to leak sensitive data.
    • Targets: Healthcare and cosmetics industries, specifically a private dental system in Argentina (SOP) and a Brazilian cosmetics company (Fattore Cosméticos Ltda).
    • Decryption Status: No free decryption tool available; recovery requires paying the ransom or using backups.
    • Source: Ransomware leak site monitoring.

  • Nova:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, claiming to have stolen 100 GB of data from one victim.
    • Targets: An audiovisual services company in Spain (AV Services Barcelona).
    • Decryption Status: No free decryption tool available; recovery requires paying the ransom or using backups.
    • Source: Ransomware leak site monitoring.

  • Sarcoma:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, claiming a 285 GB data leak from the victim.
    • Targets: A promotional product importer in Germany (MACMA Werbeartikel oHG).
    • Decryption Status: No free decryption tool available; recovery requires paying the ransom or using backups.
    • Source: Ransomware leak site monitoring.

  • Scattered Spider (Impact News):

    • Prominent Details: While not a new victim announcement, a report confirmed the financial impact of a past attack. The Co-operative Group in the U.K. reported an operating profit loss of £80 million ($107 million) due to a cyberattack attributed to the group.
    • Source: https://www.bleepingcomputer.com/news/security/co-op-says-it-lost-107-million-after-scattered-spider-attack/

Observations and Further Recommendations

  • A significant number of actively exploited zero-day vulnerabilities are targeting network infrastructure, particularly Cisco ASA firewalls and Fortra’s GoAnywhere MFT software. The exploitation of the GoAnywhere flaw before its public disclosure underscores the threat from sophisticated actors.
  • Ransomware groups like Qilin continue to be highly prolific, targeting a diverse array of global sectors including finance, manufacturing, healthcare, and government, indicating broad, opportunistic campaigns.
  • The software supply chain remains a critical attack vector. Malicious packages have been found in both Rust’s Crates.io repository (stealing cryptocurrency keys) and the npm registry, highlighting the risk to developers and their organizations.
  • It is crucial for organizations to prioritize immediate patching of critical vulnerabilities on internet-facing systems. A robust, tested backup and recovery plan is essential for resilience against data encryption and extortion attacks.

News Details

  • Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure: Cybersecurity company watchTowr Labs has disclosed that it has “credible evidence” of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.
  • New macOS XCSSET Variant Targets Firefox with Clipper and Persistence Module: Cybersecurity researchers have discovered an updated version of a known Apple macOS malware called XCSSET that has been observed in limited attacks. “This new variant of XCSSET brings key changes related to browser targeting, clipboard hijacking, and persistence mechanisms,” the Microsoft Threat Intelligence team said.
  • Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware: The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.
  • Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive: Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.
  • Co-op says it lost $107 million after Scattered Spider attack: The Co-operative Group in the U.K. released its interim financial results report for the first half of 2025 with a massive loss in operating profit of £80 million ($107 million) due to the cyberattack it suffered last April.
  • CISA orders agencies to patch Cisco flaws exploited in zero-day attacks: CISA has issued a new emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against two flaws that have been exploited in zero-day attacks.
  • Malicious Rust Crates Steal Solana and Ethereum Keys — 8,424 Downloads Confirmed: Cybersecurity researchers have discovered two malicious Rust crates impersonating a legitimate library called fast_log to steal Solana and Ethereum wallet keys from source code.
  • Unofficial Postmark MCP npm silently stole users’ emails: A npm package copying the official ‘postmark-mcp’ project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users’ email communication.
  • North Korean Hackers Use New AkdoorTea Backdoor to Target Global Crypto Developers: The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor.
  • Salesforce Patches Critical ForcedLeak Bug Exposing CRM Data via AI Prompt Injection: Cybersecurity researchers have disclosed a critical flaw impacting Salesforce Agentforce, a platform for building artificial intelligence (AI) agents, that could allow attackers to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection.
  • 🏴‍☠️ Qilin has just published a new victim : Podo Asset Management: Podo Asset Management, KoreanLeak3 – Don’t bite off more than you can chew. Not everyone follows this simple rule. A clear example is Podo Asset Management.
  • 🏴‍☠️ Nova has just published a new victim : AV Services Barcelona: AV Services Team specializes in providing comprehensive audiovisual services for events in Barcelona and Madrid… we have stole 100 GB of data include resources , billing , customers infos , Plans…
  • 🏴‍☠️ Spacebears has just published a new victim : SOP. Sistema Odontológico Privado: The Private Dental System (SOP) is a dental care company located at 19 de Mayo Street, No. 14, Altos, in the city of Bahía Blanca. It was created specifically to provide comprehensive assistance…
  • 🏴‍☠️ Sarcoma has just published a new victim : MACMA Werbeartikel oHG: MACMA is one of the largest promotional product importers in Europe… Geo: Germany – Leak size: 285 GB Archive – Contains: Files.