Ransomware Update – 2025-10-03

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Cl0p-affiliated Activity:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Sending extortion emails directly to executives, claiming to have stolen sensitive data from their Oracle E-Business Suite systems. This is a data theft and extortion campaign rather than a traditional encryption attack.
    • Targets: Organizations using Oracle E-Business Suite.
    • Decryption Status: Not applicable, as the primary threat is data exposure, not encryption.
    • Source: https://thehackernews.com/2025/10/google-mandiant-probes-new-oracle.html

  • Attack on Asahi Group (Japan):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A ransomware attack that forced company systems offline, leading to a suspension of order, shipment, and call center operations.
    • Targets: Asahi Group, a major Japanese beverage maker.
    • Decryption Status: No known method yet; the company is working on system recovery and manually processing orders.
    • Source: https://www.theverge.com/2025/10/3/24921932/asahi-super-dry-beer-shortage-cyberattack-ransomware

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration followed by extortion threats to publish sensitive corporate and personal data.
    • Targets: Sobotec, Xebec Building Company, Dual Temp, Displayit, and Apricorn.
    • Decryption Status: Not applicable; the threat is data publication.
    • Source: Provided ransomware feeds.

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, claiming to have terabytes of sensitive data from victims.
    • Targets: Shamir Medical Center (Israel), Saginaw Chippewa Indian Tribe of Michigan, Mitchell Industries.
    • Decryption Status: Not applicable; the threat is data publication.
    • Source: Provided ransomware feeds.

  • Sinobi:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Multiple organizations across various sectors, including Watsonville Community Hospital, Johnson Regional Medical Center, Judson Center, and Calsoft Systems.
    • Decryption Status: Not applicable; the threat is data publication.
    • Source: Provided ransomware feeds.

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: stockmeier-urethanes.com and suntreeinternalmedicine.com.
    • Decryption Status: Not applicable; the threat is data publication.
    • Source: Provided ransomware feeds.

Observations and Further Recommendations

  • A significant volume of data breach and extortion incidents are being reported by numerous ransomware groups, including Akira, Qilin, and Sinobi, indicating widespread and continuous operations targeting various industries.
  • Threat actors are continuing to use targeted approaches. A campaign potentially linked to Cl0p is specifically targeting organizations using Oracle E-Business Suite, highlighting the risk associated with widely used enterprise software.
  • The cyberattack on Asahi in Japan demonstrates the severe real-world consequences of ransomware, leading to major production and supply chain disruptions.
  • Organizations should prioritize robust security measures, including patching critical software vulnerabilities promptly, implementing multi-factor authentication (MFA), conducting regular security awareness training, and maintaining a tested incident response plan to mitigate the risk of both data encryption and extortion attacks.

News Details

  • Google Mandiant Probes New Oracle Extortion Wave Possibly Linked to Cl0p Ransomware: Google Mandiant and Google Threat Intelligence Group (GTIG) have disclosed that they are tracking a new cluster of activity possibly linked to a financially motivated threat actor known as Cl0p. The malicious activity involves sending extortion emails to executives at various organizations and claiming to have stolen sensitive data from their Oracle E-Business Suite.
  • Clop extortion emails claim theft of Oracle E-Business Suite data: Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems.
  • Japan’s most popular beer is running low after cyberattack: A system failure has slowed production of Asahi Super Dry in Japan, with no available ETA for recovery. Japan is facing a potential shortage of Asahi beer after a cyberattack against the beverage maker forced its systems offline. Asahi Group issued a statement on Monday announcing that order, shipment, and call center operations at the company had been suspended due to the systems outage.
  • Data breach at dealership software provider impacts 766k clients: A ransomware attack at Motility Software Solutions, a provider of dealer management software (DMS), has exposed the sensitive data of 766,000 customers.
  • Red Hat confirms security incident after hackers breach GitLab instance: An extortion group calling itself the Crimson Collective claims to have stolen nearly 570GB of compressed data across 28,000 internal development respositories, with the company confirming it was a breach of one of its GitLab instances.
  • Confucius Hackers Hit Pakistan With New WooperStealer and Anondoor Malware: The threat actor known as Confucius has been attributed to a new phishing campaign that has targeted Pakistan with malware families like WooperStealer and Anondoor.
  • CISA Flags Meteobridge CVE-2025-4008 Flaw as Actively Exploited in the Wild: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.