Ransomware Update – 2025-09-29

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in the article.
    • Attack Methods: Breaching SonicWall SSL VPN accounts, even those protected with OTP-based Multi-Factor Authentication (MFA). The method is suspected to involve the use of previously stolen OTP seeds.
    • Targets: Organizations utilizing SonicWall SSL VPN devices.
    • Decryption Status: No decryption method was mentioned.
    • Source: Akira ransomware breaching MFA-protected SonicWall VPN accounts

  • Sinobi Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via public announcements on their leak site. Specific intrusion vectors were not detailed.
    • Targets: A diverse range of organizations including Naftali Group (real estate), Bignault & Carter (law firm), The DM Burr Group (facility services), Belleville International (manufacturing), WaltersMorgan Construction, Punctual Abstract (title services), Dorrell Fabrics (textiles), Crane Production Systems (industrial equipment), and Queens Center For Change (counseling services).
    • Decryption Status: Not applicable, as the primary tactic is data leak extortion.
    • Source: Multiple victim announcement posts by Sinobi.

  • Play Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and publication of victims on their leak site to apply pressure.
    • Targets: Various U.S.-based companies including Amelia Overhead Doors, Pangborn, ComTec Systems, Earthadelic, Steve Basso Plumbing Heating, and Atlas Pressed Metals.
    • Decryption Status: Not applicable (data leak extortion).
    • Source: Multiple victim announcement posts by Play.

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public shaming on their leak site.
    • Targets: Hoffman Estates Park District (heparks.org) and PTR Asset Management, a South Korean investment firm.
    • Decryption Status: Not applicable (data leak extortion).
    • Source: Multiple victim announcement posts by Qilin.

  • Other Active Ransomware/Extortion Groups:

    • Incransom: Targeted PHI Studio (phi.ca), a Canadian company focused on immersive works (VR/AR/XR).
    • Sarcoma: Targeted MSB General Contractors (USA), leaking a claimed 66 GB of files and SQL data.
    • Nova: Targeted FysioRoadmap, a Dutch physiotherapy software provider, claiming to have stolen 10GB of patient data.
    • Killsec: Announced attacks on WalletKu Indompet Indonesia and XChief / ForexChief.
    • Coinbasecartel: Publicly named victims BAM and BW-RF.
    • Handala: Leaked an employee contact list from Spacecom, an Israeli satellite communications operator.

Observations and Further Recommendations

  • Ransomware groups continue to target a wide and diverse range of industries, including technology, real estate, legal services, construction, manufacturing, and public sector entities like a park district.
  • The Akira ransomware campaign highlights a significant threat: the exploitation of network edge devices, such as SonicWall VPNs. Their apparent ability to bypass MFA suggests sophisticated techniques that go beyond simple credential theft, possibly involving stolen MFA seeds.
  • Data exfiltration followed by public naming on leak sites remains a primary pressure tactic for numerous groups, including Sinobi, Play, and Qilin, emphasizing the importance of data protection in addition to encryption prevention.
  • Organizations should prioritize patching vulnerabilities on all internet-facing systems, particularly VPNs. It is also crucial to review MFA implementations for weaknesses and adopt phishing-resistant authentication methods where possible. Maintaining robust, offline backup and recovery plans remains a critical line of defense.

News Details

  • Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security: Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses.
  • First Malicious MCP Server Found Stealing Emails in Rogue Postmark-MCP Package: Cybersecurity researchers have discovered what has been described as the first-ever instance of a Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks.
  • Akira ransomware breaching MFA-protected SonicWall VPN accounts: Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts.
  • EU probes SAP over anti-competitive ERP support practices: The European Comission is investigating potential anti-competitive practices in aftermarket services SAP provides for its on-premise ERP software.
  • Fake Microsoft Teams installers push Oyster malware via malvertising: Hackers have been spotted using SEO poisoning and search engine advertisements to promote fake Microsoft Teams installers that infect Windows devices with the Oyster backdoor, providing initial access to corporate networks.
  • CMF’s first over-ear headphones have an energy slider for boosting bass and treble: CMF, the budget-focused sub-brand that Nothing plans to spin off into a standalone subsidiary, has launched its first pair of over-ear wireless headphones. The CMF Headphone Pro borrows features like a multi-function roller control from Nothing’s Headphone 1 that debuted in July…
  • Apple’s ‘Veritas’ chatbot is reportedly an employee-only test of Siri’s AI upgrades: According to Bloomberg’s Mark Gurman Apple is testing Siri’s upcoming revamp using an internal chatbot called Veritas. The company’s struggles as it tries to keep pace in the AI race are no secret.
  • Larry Ellison’s quest to run the world: For most of his career Larry Ellison has been content to quietly let Oracle be the company, behind the company, behind the technology that makes headlines. Its biggest products being cloud computing and database products that it sells to enterprise customers…
  • Trump posts, then pulls bizarre AI video promoting MedBed conspiracy: Donald Trump is no stranger to outlandish conspiracies or strange social media posts. But, by any measure, his post on Saturday night was particularly bizarre. The president posted (and later removed) a clip on Truth Social of a fake Fox News segment…
  • I spent three months with Telly, the free TV that’s always showing ads: The last few months, I’ve felt like I’m living in a cyberpunk movie. Each night, when I get ready to wind down, I reach for the remote to turn on a TV I got for free.
  • Good news: TechWoven is fine: As the nation’s foremost FineWoven hater, I have some great news about Apple’s follow-up: it doesn’t suck. I’ve been using a TechWoven case on an iPhone 17 Pro for the past week and I have no complaints.
  • How the voice of Silksong’s Hornet brought her to life through gibberish: Silksong resembles the original Hollow Knight in many ways, though right from the start, you can hear one key difference: Hornet. Hollow Knight’s protagonist was silent, but just as Hornet was voiced in that game, as the protagonist of Silksong, she has a voice…
  • How generative AI boosters are trying to break into Hollywood: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on the intersection of entertainment and technology, follow Charles Pulliam-Moore.
  • I need a life cool enough for the new GoPro: Hi, friends! Welcome to Installer No. 99, your guide to the best and Verge-iest stuff in the world.
  • Martin Shkreli can be sued for copying Wu-Tang’s one-of-a-kind record: Disgraced pharma bro, convicted felon, and perennial challenger for America’s Most Hateable Man, Martin Shkreli will have to face a lawsuit for making copies of the Wu-Tang Clan’s Once Upon a Time in Shaolin.
  • 🏴‍☠️ Incransom has just published a new victim : phi.ca: PHI Studio focuses its activities on the presentation and curation of immersive works in virtual reality (VR), augmented reality (AR) and extended reality (XR).
  • 🏴‍☠️ Qilin has just published a new victim : heparks.org: The Hoffman Estates Park District strives to provide the local community with exceptional recreational programs, well-maintained parks, and high-quality facilities.
  • 🏴‍☠️ Sarcoma has just published a new victim : MSB: MSB General Contractors specializes in disaster recovery services, offering support and solutions for clients affected by various emergencies. Geo: USA – Leak size: 66 GB Archive – Contains: Files,SQL
  • 🏴‍☠️ Sinobi has just published a new victim : Naftali Group: Naftali Group, a privately held global real estate development and investment firm based in New York City, has a prestigious track record…
  • 🏴‍☠️ Sinobi has just published a new victim : Bignault & Carter: Bignault & Carters Savannah law practice is focused on the representation of Labor Unions and Pension, Vacation, and Health and Welfare Funds in and around Savannah Georgia
  • 🏴‍☠️ Sinobi has just published a new victim : The DM Burr Group: The DM Burr Group is a multifaceted company that has many divisions that are complementary to one another giving our customers the easiest way possible to bundle services together…
  • 🏴‍☠️ Sinobi has just published a new victim : Belleville International: Belleville International specializes in precision load solutions, providing durable washers and disc springs designed for high-stress environments across various industries.
  • 🏴‍☠️ Sinobi has just published a new victim : WaltersMorgan Construction: Walters-Morgan Construction, Inc. is a leading construction firm based in Manhattan, Kansas, specializing in the construction of water and wastewater treatment plants…
  • 🏴‍☠️ Sinobi has just published a new victim : Punctual Abstract: Punctual Abstract is a leading provider of abstracting services in the land title industry, boasting over 25 years of experience.
  • 🏴‍☠️ Sinobi has just published a new victim : Dorrell Fabrics: Dorell Fabrics specializes in fabric sourcing and innovation, offering a wide array of products including residential, performance, contract, outdoor, and specialty fabrics.
  • 🏴‍☠️ Sinobi has just published a new victim : Crane Production Systems: Crane Production Systems is a full-service metal stamping and material handling company that specializes in the installation and servicing of industrial equipment.
  • 🏴‍☠️ Sinobi has just published a new victim : Queens Center For Change: Queens Counseling for Change (QCC) provides behavioral counseling services. Services are provided by licensed counselors with many years of experience in the field.
  • 🏴‍☠️ Killsec has just published a new victim : WalletKu Indompet Indonesia: N/A
  • 🏴‍☠️ Killsec has just published a new victim : XChief / ForexChief: N/A
  • 🏴‍☠️ Coinbasecartel has just published a new victim : BAM: You are fully aware of what we have, yet you’ve chosen not to uphold your end of the agreement. This is unacceptable. If you do not get in touch …
  • 🏴‍☠️ Coinbasecartel has just published a new victim : BW-RF: We suggest you contact us asap
  • 🏴‍☠️ Qilin has just published a new victim : PTR Asset Management: PTR Asset Management, KoreanLeak3 – A shell company that jumps from bed to bed. Meet PTR Asset Management. An investment company from South Korea.
  • 🏴‍☠️ Handala has just published a new victim : List of Spacecom employees: Despite Spacecom’s legendary talent for saying “No comment” faster than a rocket launch, you can now skip the press releases and go straight to the source.
  • 🏴‍☠️ Nova has just published a new victim : FysioRoadmap: FysioRoadmap is een onderdeel van Monitored Rehab Systems… we stole 10GB of data with more then 20k Docs have BSN numbers , phone numbers , full patients names and infos…
  • 🏴‍☠️ Play has just published a new victim : Amelia Overhead Doors: United States
  • 🏴‍☠️ Play has just published a new victim : Pangborn: United States
  • 🏴‍☠️ Play has just published a new victim : ComTec Systems: United States
  • 🏴‍☠️ Play has just published a new victim : Earthadelic: United States
  • 🏴‍☠️ Play has just published a new victim : Steve Basso Plumbing Heating: United States
  • 🏴‍☠️ Play has just published a new victim : Atlas Pressed Metals: United States