Ransomware Update – 2025-10-02

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Motility Software Solutions Ransomware Attack:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A ransomware attack that resulted in data exfiltration.
    • Targets: Motility Software Solutions, a provider of dealer management software. The breach exposed the data of 766,000 customers.
    • Decryption Status: Not specified in the report.
    • Source: Data breach at dealership software provider impacts 766k clients

  • Clop Extortion Campaign:

    • New Encrypted File Extension: Not applicable (extortion-only attack).
    • Attack Methods: Data theft from victims’ Oracle E-Business Suite systems, followed by direct extortion emails to company executives.
    • Targets: Executives at multiple companies utilizing Oracle E-Business Suite.
    • Decryption Status: Not applicable, as this is a data theft and extortion campaign.
    • Source: Clop extortion emails claim theft of Oracle E-Business Suite data

  • Klopatra Android Banking Trojan:

    • New Encrypted File Extension: Not applicable (Banking Trojan/RAT).
    • Attack Methods: The malware is disguised as IPTV or VPN applications. It uses Hidden Virtual Network Computing (VNC) to gain remote control of infected smartphones for financial theft.
    • Targets: Over 3,000 Android device users, primarily located in Spain and Italy.
    • Decryption Status: Not applicable.
    • Source: New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones

  • Ransomware Leak Site Activity:

    • Prominent Details: Multiple ransomware groups, including Akira, Incransom, Sinobi, Qilin, and Spacebears, have actively published new victims on their data leak sites, indicating widespread data exfiltration and extortion campaigns.
    • New Encrypted File Extension: Not specified in leak announcements.
    • Attack Methods: Data exfiltration followed by public naming and shaming to pressure victims into paying a ransom.
    • Targets: A diverse range of sectors, including construction (Barr and Barr), healthcare (Johnson Regional Medical Center, Cholakyan Chiropractic), technology (Calsoft Systems), and manufacturing (White Birch Paper).
    • Decryption Status: Not applicable for data leaks.
    • Source: Aggregated from various ransomware leak site announcements in the provided news feed.

Observations and Further Recommendations

  • Ransomware operations remain highly active, with a clear focus on data exfiltration and multi-faceted extortion tactics rather than just encryption. Groups like Akira, Sinobi, and Qilin continue to target a wide variety of industries.
  • Extortion-only campaigns are a persistent threat, as seen with the Clop group targeting vulnerabilities in widely used enterprise software like Oracle E-Business Suite to pressure victims.
  • Mobile threats are becoming more sophisticated. The Klopatra Android trojan demonstrates the use of remote access capabilities (VNC) to directly control devices for financial fraud, moving beyond simple data theft.
  • In response to rising threats, major technology companies are enhancing security features. Google has started rolling out an AI-powered ransomware detection feature in Google Drive for desktop, which can automatically pause file syncing to mitigate damage.
  • Organizations should prioritize securing critical enterprise applications, conduct regular security audits, and enhance defenses against mobile threats.

News Details

  • Data breach at dealership software provider impacts 766k clients: A ransomware attack at Motility Software Solutions, a provider of dealer management software (DMS), has exposed the sensitive data of 766,000 customers.
  • Clop extortion emails claim theft of Oracle E-Business Suite data: Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
  • New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones: A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.
  • Google Drive for desktop gets AI-powered ransomware detection: Google has begun rolling out a new AI-powered security feature for Google Drive desktop, which will automatically pause file syncing when it detects a ransomware attack to minimize impact.
  • 🏴‍☠️ Akira has just published a new victim : Barr and Barr: Barr & Barr, Inc is a construction management company that provides building information modeling & construction management. We are going to upload 323gb of corporate data. Employee detailed information (name, address, DOB, phones, scanned passports, DLs, death reports and so on), financials, clients information, contracts and agreements, projects, and of other files.
  • 🏴‍☠️ Incransom has just published a new victim : callhci.com: Heritage Communications is a B2B telecommunications provider based in Little Rock, Arkansas, specializing in high-quality Cloud and On-Prem VoIP services from NEC. They serve businesses throughout Arkansas and West Tennessee, offering scalable and customizable telecommunications solutions tailored to meet specific client needs.
  • 🏴‍☠️ Sinobi has just published a new victim : Johnson Regional Medical Center: Johnson Regional Medical Center has been a healthcare provider in Johnson, Logan, Franklin, and Pope counties since 1922, evolving from humble beginnings into a licensed facility with 90 beds. The center offers a wide range of medical services including outpatient therapy, orthopedics, emergency care, and various specialty clinics.