Ransomware Update – 2025-10-01

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Actively targeting SonicWall firewall customers by exploiting a known vulnerability.
    • Targets: A wide range of industries including manufacturing (Cascade Pacific Pulp, Midwest Industries, Sinco, Pawling), aviation (Priester Aviation), construction (Burke Contracting), real estate (Sueba USA), retail/distribution (Tom Duffy Company, Turf Care Store), logistics (Von Paris Moving), technology/services (Apex CoVantage), and a Swiss equipment provider (Bugnard).
    • Decryption Status: No known free decryption tool is available. The group uses double extortion tactics by threatening to leak stolen data.
    • Source: Provided News Articles

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified.
    • Targets: Healthcare (Cholakyan Chiropractic), Retail/Industrial (LAMMCO.NET), Home Improvement (idealbathrooms.ie), and Construction (North America Construction LTD).
    • Decryption Status: No known free decryption tool is available.
    • Source: Provided News Articles

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified.
    • Targets: Multiple asset management firms in South Korea (Foremost, TRAUM, Petraville, Mobidic), a US school (Rectory School), and a travel agency (Pangea Travel Store).
    • Decryption Status: No known free decryption tool is available.
    • Source: Provided News Articles

  • Other Active Groups:

    • Prominent Details: Numerous other ransomware groups including Spacebears, J, Coinbasecartel, Securotrop, Dragonforce, Anubis, Play, Payoutsking, Pear, Devman, Termite, Lynx, Blacknevas, Nova, and Thegentlemen have also published new victims.
    • Targets: These attacks span various sectors such as healthcare, legal, retail, education, finance, media, and technology across different regions.
    • Decryption Status: No known free decryption tools are available for these groups.
    • Source: Provided News Articles

Observations and Further Recommendations

  • A significant volume of ransomware activity is being reported by numerous distinct groups, indicating a thriving and diverse cybercriminal ecosystem. Akira, Qilin, and Incransom appear particularly active, targeting a broad spectrum of industries.
  • The Akira ransomware campaign’s exploitation of a known SonicWall VPN vulnerability underscores a critical trend: attackers are leveraging unpatched security flaws in public-facing infrastructure.
  • The predominant strategy is “double extortion,” where attackers not only encrypt files but also exfiltrate sensitive corporate and personal data, threatening public release to coerce payment. This makes data backups alone an incomplete defense strategy.
  • It is crucial for organizations to prioritize timely patching of all systems, especially internet-facing devices like VPNs and firewalls, and to implement robust security monitoring to detect and respond to intrusions quickly.

News Details

  • 2025 Cybersecurity Reality Check: Breaches Hidden, Attack Surfaces Growing, and AI Misperceptions Rising: Bitdefender’s 2025 Cybersecurity Assessment Report paints a sobering picture of today’s cyber defense landscape: mounting pressure to remain silent after breaches, a gap between leadership and frontline teams, and a growing urgency to shrink the enterprise attack surface.
  • Hackers Exploit Milesight Routers to Send Phishing SMS to European Users: Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.
  • New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones: A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
  • Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPs: The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of new targeted cyber attacks in the country using a backdoor called CABINETRAT.
  • New $50 Battering RAM Attack Breaks Intel and AMD Cloud Security Protections: A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors.
  • Phantom Taurus: New China-Linked Hacker Group Hits Governments With Stealth Malware: Government and telecommunications organizations across Africa, the Middle East, and Asia have emerged as the target of a previously undocumented China-aligned nation-state actor dubbed Phantom Taurus over the past two-and-a-half years.
  • Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits: Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google’s Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft.
  • Microsoft Expands Sentinel Into Agentic Security Platform With Unified Data Lake: Microsoft on Tuesday unveiled the expansion of its Sentinel Security Incidents and Event Management solution (SIEM) as a unified agentic platform with the general availability of the Sentinel data lake.
  • Stop Alert Chaos: Context Is the Key to Effective Incident Response: The Problem: Legacy SOCs and Endless Alert Noise. Every SOC leader knows the feeling: hundreds of alerts pouring in, dashboards lighting up like a slot machine, analysts scrambling to keep pace.
  • Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024: A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs.
  • New Android Trojan “Datzbro” Tricking Elderly with AI-Generated Facebook Travel Events: Cybersecurity researchers have flagged a previously undocumented Android banking trojan called Datzbro that can conduct device takeover (DTO) attacks and perform fraudulent transactions by preying on the elderly.
  • Evolving Enterprise Defense to Secure the Modern AI Supply Chain: The world of enterprise technology is undergoing a dramatic shift. Gen-AI adoption is accelerating at an unprecedented pace, and SaaS vendors are embedding powerful LLMs directly into their platforms.
  • U.K. Police Just Seized £5.5 Billion in Bitcoin — The World’s Largest Crypto Bust: A Chinese national has been convicted for her role in a fraudulent cryptocurrency scheme after law enforcement authorities in the U.K. confiscated £5.5 billion (about $7.39 billion) during a raid of her home in London.
  • CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
  • Designing CPUs for next-generation supercomputing: In Seattle, a meteorologist analyzes dynamic atmospheric models to predict the next major storm system. In Stuttgart, an automotive engineer examines crash-test simulations for vehicle safety certification.
  • Powering HPC with next-generation CPUs: For all the excitement around GPUs—the workhorses of today’s AI revolution—the central processing unit (CPU) remains the backbone of high-performance computing (HPC).
  • Delivering a digital sixth sense with next-generation networks: [No content provided]
  • Imgur blocks UK users after data watchdog signals possible fine: People in the United Kingdom are no longer able to access content hosted on the Imgur, a popular media sharing site, after a UK data watchdog warned it may impose a monetary penalty on the parent company, MediaLab.
  • Sendit sued by the FTC for illegal collection of children data: The Federal Trade Commission (FTC) is suing Sendit’s operating company and its CEO for unlawful collection of data from underage users, as well as deceptive subscription practices.
  • New MatrixPDF toolkit turns PDFs into phishing and malware lures: A new phishing and malware distribution toolkit called MatrixPDF allows attackers to convert ordinary PDF files into interactive lures that bypass email security and redirect victims to credential theft or malware downloads.
  • WestJet confirms recent breach exposed customers’ passports: Canadian airline WestJet is informing customers that the cyberattack disclosed in June compromised their sensitive information, including passports and ID documents.
  • Windows 11 2025 Update (25H2) is now available, Here’s what’s new: Today, Microsoft announced the release of Windows 11 25H2, also known as Windows 11 2025 Update.
  • Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws: Roughly 50,000 Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) appliances exposed on the public web are vulnerable to two vulnerabilities actively leveraged by hackers.
  • Critical WD My Cloud bug allows remote command injection: Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands.
  • Chinese hackers exploiting VMware zero-day since October 2024: Broadcom has patched a high-severity privilege escalation vulnerability in its VMware Aria Operations and VMware Tools software, which has been exploited in zero-day attacks since October 2024.
  • VMware Certification Is Surging in a Shifting IT Landscape: VMware certification is surging as IT teams face hybrid infra, cloud complexity, & rising risks. See how VMUG Advantage helps practitioners & enterprises turn certification into stronger security & measurable value.
  • Microsoft fixes Windows DRM video playback issues for some users: Microsoft says it has “partially” resolved a known issue that caused problems when trying to play DRM-protected video in Blu-ray/DVD/Digital TV applications.
  • CISA warns of critical Linux Sudo flaw exploited in attacks: Hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux operating systems.
  • Windows 11 KB5065789 update released with 41 changes and fixes: ​​Microsoft has released the KB5065789 preview cumulative update for Windows 11 24H2, which includes 41 improvements, including new AI actions in File Explorer and bug fixes for Windows Update and Windows Sandbox.
  • Broadcom fixes high-severity VMware NSX bugs reported by NSA: Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA).
  • Brompton’s versatile Electric G folding e-bike is now available in the US: The Brompton Electric G folding e-bike I reviewed last year is now available to buy in the US starting at $4,950.
  • Epic says it has proof Apple was scaring users off third-party app stores: The Epic Games Store has seen an uptick in downloads since the EU’s Digital Markets Act (DMA) prompted Apple to streamline its process for installing third-party app marketplaces, according to a new blog published by Epic.
  • Wikimedia wants to make it easier for you and AI developers to search through its data: The late English writer Douglas Adams is best known as the author of the 1979 book The Hitchhiker’s Guide to the Galaxy. But there is much more to Adams than what is written in his Wikipedia entry.
  • Roland’s TR-1000 is its first analog drum machine in over 40 years: Roland has largely decided sit out the analog synth renaissance of the last decade. But it’s (belatedly) making amends for that error with the launch of the TR-1000 Rhythm Generator.
  • All hail the new Fat Bear Champion: The votes are in, and the winner of Fat Bear Week 2025 is the indomitable Bear 32, also known as Chunk.
  • Here’s where to preorder all of Amazon’s new Alexa devices and when they arrive: Amazon’s fall hardware event had a little of everything: updated Echo speakers, several Blink security devices, and even a Kindle Scribe with a color screen.
  • Google is blocking AI searches for Trump and dementia: Google appears to have blocked AI search results for the query “does trump show signs of dementia” as well as other questions about his mental acuity, even though it will show AI results for similar searches about other presidents.
  • TikTok, #freedom edition: Hello and welcome to Regulator. Today is the last day of The Verge’s very good subscription sale: $4 for a month and $35 for the year, for full access to the entire site.
  • Refurbished Sonos headphones, speakers, and soundbars are up to 25 percent off right now: With the impact of President Trump’s tariffs leading to higher prices on Sonos gear, scoring a deal feels extra special. Right now, Sonos is currently offering up to 25 percent off a range of refurbished devices…
  • You can now preorder LG’s 6K 32-inch Thunderbolt 5 display for $2,000: LG first announced its new 32-inch UltraFine monitor at CES 2025. The company still bills it as the “world’s first 6K monitor with Thunderbolt 5 connectivity” built right in.
  • China Imposes One-Hour Reporting Rule for Major Cyber Incidents: The sweeping new regulations show that China’s serious about hardening its own networks after launching widespread attacks on global networks.
  • New China APT Strikes With Precision and Persistence: Phantom Taurus demonstrates a deep understanding of Windows environments, including advanced components like IIServerCore, a fileless backdoor that executes in memory to evade detection.
  • ‘Klopatra’ Trojan Makes Bank Transfers While You Sleep: A sophisticated new banking malware is hard to detect, capable of stealing lots of money, and infecting thousands of people in Italy and Spain.
  • China Exploited New VMware Bug for Nearly a Year: A seemingly benign privilege-escalation process in VMware and other software has likely benefited attackers and other malware strains for years, researchers noted.
  • Can Shadow AI Risks Be Stopped?: Agentic AI has introduced abundant shadow artificial intelligence (AI) risks. Cybersecurity startup Entro Security extends its platform to help enterprises combat the growing issue.
  • ‘Trifecta’ of Google Gemini Flaws Turn AI Into Attack Vehicle: Flaws in individual models of Google’s AI suite created significant security and privacy risks for users, demonstrating the need for heightened defenses.
  • AI-Powered Voice Cloning Raises Vishing Risks: A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information.
  • IoT Security Flounders Amid Churning Risk: The Internet of Things (IoT) has made everything more interconnected, but an important US government security initiative is stuck in limbo while threat actors step up attacks on everything from medical gear to printers.
  • Sneaky, Malicious MCP Server Exfiltrates Secrets via BCC: The first known malicious MCP server is an AI integration tool that automatically sends email such as those related to password resets, account confirmations, security alerts, invoices, and receipts to threat actors.
  • Akira Hits SonicWall VPNs in Broad Ransomware Campaign: Akira ransomware actors are currently targeting SonicWall firewall customers vulnerable to a bug discovered last year.
  • 🏴‍☠️ Incransom has just published a new victim : Cholakyan Chiropractic: Here at Cholakyan Chiropractic we have built chiropractic offices, which are very well equipped with state of the art physiotherapy modalities, chiropractic tables, traction units, a high frequency Digital X-ray machine and rehab/therapeutic exercise equipment.
  • 🏴‍☠️ Incransom has just published a new victim : LAMMCO.NET: LAMMCO specializes in industrial furniture and construction specialties. The company focuses on providing high-quality products tailored for various industrial applications.
  • 🏴‍☠️ Spacebears has just published a new victim : Smiles By Steedman: Smiles By Steedman, a family and general dentistry practice in Lake Stevens, Washington! We are dedicated to providing you and your family with the personalized, affordable and comfortable care that you deserve.
  • 🏴‍☠️ Incransom has just published a new victim : idealbathrooms.ie: Ideal Bathrooms is a leading bathroom distributor in the UK, offering a wide range of high-quality bathroom products including toilets, baths, basins, taps, and furniture.
  • 🏴‍☠️ Incransom has just published a new victim : Nacsworld.com: Founded in 1993 and headquartered in Morriston, Ontario, North America Construction LTD (NAC) is a general contractor and construction company.
  • 🏴‍☠️ J has just published a new victim : multi-media systeme AG (mmsag.de): [AI generated] N/A
  • 🏴‍☠️ Coinbasecartel has just published a new victim : C Well: You will be posted if you do not reply
  • 🏴‍☠️ Securotrop has just published a new victim : Weschler’s Auctioneers: Status: AWAITING Size: 1429 GB
  • 🏴‍☠️ Dragonforce has just published a new victim : Greenville Legal: David R. Price, Jr., P.A. is a personal injury law firm based in Greenville, South Carolina, specializing in a wide range of legal matters including auto accidents, wrongful death, and workers’ compensation.
  • 🏴‍☠️ Coinbasecartel has just published a new victim : The L B: You will be posted if you do not reply, do not play with us
  • 🏴‍☠️ Anubis has just published a new victim : Storage King: Major personal data leak
  • 🏴‍☠️ Qilin has just published a new victim : Foremost Asset Management: Foremost Asset Management, KoreanLeak3 – First and foremost, they forgot the rules of survival in the market. Company was established in 2021 in Seoul, South Korea.
  • 🏴‍☠️ Play has just published a new victim : Komar Industries: United States
  • 🏴‍☠️ Qilin has just published a new victim : Rectory School: Rectory School, USA – What began as a charitable educational project has, turned into a money-making machine for children.
  • 🏴‍☠️ Qilin has just published a new victim : TRAUM Investment Co.: TRAUM Investment Co., KoreanLeak3 – We confirm your fears. TRAUM Investment, a major player in the country’s stock market, appeared in 2016.
  • 🏴‍☠️ Qilin has just published a new victim : Petraville Asset Management: Petraville Asset Management, KoreanLeak3 – a direct path to investment loss. Company was founded in Seoul, Korea, in 2022.
  • 🏴‍☠️ Securotrop has just published a new victim : JW Howard Attorneys: Status: AWAITING Size: 637 GB
  • 🏴‍☠️ Akira has just published a new victim : Cascade Pacific Pulp: Cascade Pacific Pulp LLC is a leading market pulp mill located in the Pacific Northwest… We are ready to upload more than 146GB data.
  • 🏴‍☠️ Payoutsking has just published a new victim : Ls: [No content provided]
  • 🏴‍☠️ Akira has just published a new victim : Priester Aviation: Priester Aviation is a leading provider of aircraft management and private jet charter services… We are going to upload 124gb of corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Sinco: Sinco, Inc. is a certified company specializing in sheet metal fabrication… We are going to upload 13gb of corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Pawling: Pawling provides the following services: Architectural Products… We are going to upload 21gb corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Tom Duffy Company: Tom Duffy Company specializes in floor covering and supplies… We are going to upload 7 gb of corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Midwest Industries, Inc: Midwest Industries, Inc. designs, manufactures, and markets boats… We are going to upload of corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Turf Care Store: Turf Care Store is an independent, and privately held Canadian company… We are going to upload 30gb of their corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Bugnard: Bugnard is a Swiss market leader for equipment used in the installation of electrical and telecommunication networks… We are going to upload 32gb of their corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Sueba USA: With over three decades of experience, a reputation for quality… SUEBA USA is an innovator in the real estate development market… We are going to upload 20gb of their corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Von Paris Moving: Von Paris Moving is a moving company that provides services in the moving and storage industry… We are going to upload corporate data.
  • 🏴‍☠️ Akira has just published a new victim : Apex CoVantage: The company provides data conversion, prepress, content enhancement, and editorial services… We are ready to upload more than 35GB files.
  • 🏴‍☠️ Akira has just published a new victim : Burke Contracting: Burke Contracting provides design-build, general construction… We are going to upload 292gb of corporate data.
  • 🏴‍☠️ Pear has just published a new victim : MCBS, LLC: Provides a complete range of management services to healthcare providers
  • 🏴‍☠️ Devman has just published a new victim : www.wrapex.ca: Ransom: 780000 USD
  • 🏴‍☠️ J has just published a new victim : AZpro Group (azprogroup.com): [AI generated] AZpro Group is a multi-faced company that specializes in graphic design, installation, and printing services.
  • 🏴‍☠️ Qilin has just published a new victim : Mobidic Asset Management: Mobidic Asset Management Co., KoreanLeak3 – another failure. The company has been operating on the country’s stock market since 2021.
  • 🏴‍☠️ Termite has just published a new victim : News-Press and Gazette Co.: News-Press & Gazette Company publishes daily newspapers and weekly publications.
  • 🏴‍☠️ Lynx has just published a new victim : Dodd-group-ltd: During the attack we quietly extracted roughly 4 TB of data, including material from secured repositories.
  • 🏴‍☠️ Blacknevas has just published a new victim : Caresoft Global caresoftglobal.com: Caresoft Global is a global engineering company specializing in solutions for the automotive, off-highway, agricultural, and construction equipment industries… All accounting records from 2021 to the present day and other documents are for sale.
  • 🏴‍☠️ Qilin has just published a new victim : Pangea Travel Store: PANGEA The Travel Store is a boutique travel agency that designs bespoke, full-service trips tailored to individual tastes.
  • 🏴‍☠️ Nova has just published a new victim : Universite de Pau et du Pays de lAdour: The Université de Pau et du Pays de l’Adour was founded in 1972… we stole 80GB of data include Docs , reports , billing PDFs , Plans…
  • 🏴‍☠️ Thegentlemen has just published a new victim : Al-Babtain Power & Telecommunication: Stock Symbol 2320. www.al-babtain.com.sa http://www.albabtain-egypt.com/ Al-Babtain Power & Telecom was established as a family run business in 1955.