Ransomware Update – 2025-09-30

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Breaching SonicWall SSL VPN devices, successfully logging into accounts even when they are protected with One-Time Password (OTP) Multi-Factor Authentication (MFA). It is suspected this is achieved using previously stolen OTP seeds.
    • Targets: Organizations using vulnerable SonicWall SSL VPN appliances.
    • Decryption Status: No decryption method or tool was mentioned in the reports.
    • Source: Akira ransomware breaching MFA-protected SonicWall VPN accounts

  • Medusa Ransomware:

    • New Encrypted File Extension: Not applicable.
    • Attack Methods: Attempting to recruit insiders by offering a BBC correspondent a large sum of money to help compromise the media organization’s network.
    • Targets: Media companies, with a specific attempt made against the BBC.
    • Decryption Status: Not applicable, as the news concerns an attack attempt, not a successful encryption event.
    • Source: Ransomware gang sought BBC reporter’s help in hacking media giant

Observations and Further Recommendations

  • Ransomware groups are employing advanced and varied tactics. The Akira gang’s ability to bypass MFA on corporate VPNs highlights a significant threat, while the Medusa gang’s attempt to recruit an insider underscores the growing risk of social engineering and internal threats.
  • The incidents emphasize the critical need for organizations to not only patch network infrastructure like VPNs promptly but also to implement robust, modern MFA solutions that are resistant to seed theft.
  • Companies should increase employee awareness training regarding insider threat recruitment tactics and establish clear channels for reporting suspicious approaches.

News Details

  • Akira ransomware breaching MFA-protected SonicWall VPN accounts: Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed.
  • Ransomware gang sought BBC reporter’s help in hacking media giant: Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money.
  • Japan’s largest brewer suspends operations due to cyberattack: Asahi Group Holdings, Ltd (Asahi), the brewer of Japan’s top-selling beer, has disclosed a cyberattack that disrupted several of its operations.
  • UK govt backs JLR with £1.5 billion loan guarantee after cyberattack: The UK Government is providing Jaguar Land Rover (JLR) with a £1.5 billion loan guarantee to restore its supply chain after a catastrophic cyberattack forced the automaker to halt production.
  • Harrods suffers new data breach exposing 430,000 customer records: UK retail giant Harrods has disclosed a new cybersecurity incident after hackers compromised a third-party supplier and stole 430,000 records with sensitive e-commerce customer information.