Ransomware Update – 2025-10-05

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Medusa:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for public leakage (double extortion). Specific intrusion vectors are not mentioned.
    • Targets: CCMC (community management), Comcast (media/tech), Organon (pharmaceuticals), Insightin Health (healthcare tech), Future Generali (insurance), Leprohon (construction), and LGB (manufacturing). The group lists employee counts and data leakage sizes for each victim.
    • Decryption Status: No known public decryptor. Victims are listed on their leak site.
    • Source: Provided news feed.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Hillside Public Library, Stalker Radar (Applied Concepts, Inc.), and Ouellet Construction.
    • Decryption Status: No known public decryptor. Victims are listed on their leak site.
    • Source: Provided news feed.

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Rihatec.de (automation), uhlcompany.com (building management), AIP Asset Management (finance), Corban OneSource (HR outsourcing), and IONODES (IP video solutions).
    • Decryption Status: No known public decryptor. Victims are listed on their leak site.
    • Source: Provided news feed.

  • Thegentlemen:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: 2GO Group (Philippine logistics), AUSA Soluciones Logisticas (Peruvian logistics), and Astra Otoparts / PT. Inti Ganda Perdana (Indonesian manufacturing).
    • Decryption Status: No known public decryptor. Victims are listed on their leak site.
    • Source: Provided news feed.

  • Shinyhunters:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: S&P Global (market intelligence) and CIC Vietnam (consultancy).
    • Decryption Status: No known public decryptor. Victims are listed on their leak site.
    • Source: Provided news feed.

  • Other Ransomware Groups:

    • New Encrypted File Extension: Not specified in the articles for any group.
    • Attack Methods: The articles are leak site announcements and do not specify attack vectors. Devman group specified ransom demands for two victims.
    • Targets: Various groups have listed single victims:
      • Rhysida: Medstar Health
      • Blackshrantac: Standard Fiber
      • Beast: Garro Fabril
      • Pear: Western Orthopaedics
      • Play: Waterborne Environmental
      • Devman: teeuwissen.com and www.hameshakem.co.il
      • Securotrop: Mill Bay Marine Group
    • Decryption Status: No known public decryptors.
    • Source: Provided news feed.

Observations and Further Recommendations

  • A high volume of activity was reported from multiple ransomware groups, particularly Medusa, Qilin, and Incransom, who published numerous victims in a short period.
  • The targets are highly diverse, spanning industries such as technology, healthcare, manufacturing, finance, logistics, construction, and even public services like libraries. This indicates that many attacks are opportunistic and not confined to a single sector.
  • The news is dominated by leak site announcements, reinforcing the prevalence of the double-extortion tactic, where data is stolen before encryption to pressure victims into paying the ransom.
  • Organizations should maintain a robust defense-in-depth strategy, including regular data backups (offline and immutable), multi-factor authentication, network segmentation, and timely patching of vulnerabilities to mitigate risks.

News Details

  • CometJacking: One Click Can Turn Perplexity’s Comet AI Browser Into a Data Thief: Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity’s agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.
  • Scanning Activity on Palo Alto Networks Portals Jump 500% in One Day: Threat intelligence firm GreyNoise disclosed on Friday that it has observed a massive spike in scanning activity targeting Palo Alto Networks login portals. The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025.
  • Detour Dog Caught Running DNS-Powered Malware Factory for Strela Stealer: A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.
  • Leaked Apple iPad Pro M5 benchmark shows massive improvements: A new leaked benchmark shows Apple’s alleged M5 chip on an iPad, and it’s almost as fast as a desktop CPU. […]
  • ChatGPT social could be a thing, as leak shows direct messages support: OpenAI doesn’t want ChatGPT to remain just a chatbot for interacting with a large language model. […]
  • OpenAI rolls out GPT Codex Alpha with early access to new models: OpenAI’s Codex is already making waves in the vibe coding vertical, and it’s now set to get even better. […]
  • OpenAI wants ChatGPT to be your emotional support: GPT-5 isn’t as good as GPT-4o when it comes to emotional support, but that changes today. […]
  • OpenAI prepares $4 ChatGPT Go for several new countries: OpenAI has been testing a new, cheaper ChatGPT plan called “Go,” and it’s now rolling out to more regions.
  • Massive surge in scans targeting Palo Alto Networks login portals: A spike in suspicious scans targeting Palo Alto Networks login portals indicates clear reconnaissance efforts from suspicious IP addresses, researchers warn.
  • Discord discloses data breach after hackers steal support tickets: Hackers stole partial payment information and personally identifiable data, including names and government-issued IDs, from some Discord users after compromising a third-party customer service provider.
  • Scattered Lapsus$ Hunters Returns With Salesforce Leak Site: After claiming it would shut down, the cybercriminal collective reemerged and threatened to publish the stolen data of Salesforce customers by Oct. 10 if its demands are not met.
  • 🏴‍☠️ Incransom has just published a new victim : hillsidelibrary.org: Hillside Public Library offers a number of options for patrons blind or visually impaired. Our Kurzweil software scans in any typewritten document and reads the document aloud to the patron.
  • 🏴‍☠️ Incransom has just published a new victim : stalkerradar.com: Applied Concepts, Inc., d.b.a. Stalker Radar, was founded as a small contract engineering and manufacturing firm in 1975. Since that time, we have grown to be the United States premier manufacturer of police radar and Lidar in the United States.
  • 🏴‍☠️ Incransom has just published a new victim : ocmaine.com: Ouellet Construction is a family-led construction company specializing in commercial construction services in Southern Maine and the broader New England area.
  • 🏴‍☠️ Qilin has just published a new victim : Rihatec.de: Rihatec Systemlösungen, Germany – Automation of control systems, innovative solutions, cooperation with large corporations. Sounds impressive, doesn’t it?
  • 🏴‍☠️ Qilin has just published a new victim : uhlcompany.com: Imagine that the building where you live or work has gone haywire. You can’t turn the lights on or off, the heating and air conditioning systems are out of order, and the video cameras have stopped focusing on the right areas.
  • 🏴‍☠️ Rhysida has just published a new victim : Medstar Health: Medstar Health
  • 🏴‍☠️ Medusa has just published a new victim : Comcast: Comcast Corporation operates as a media and technology company worldwide. It operates through Residential Connectivity & Platforms, Business Services Connectivity, Media, Studios, and Theme Parks segments.
  • 🏴‍☠️ Medusa has just published a new victim : Organon: Organon creates, manufactures and markets innovative prescription medicines that improve the health and quality of human life.
  • 🏴‍☠️ Medusa has just published a new victim : Insightin Health: Insightin Health helps healthcare payers eliminate data silos and deliver highly satisfying consumer-centric experiences. inGAGE our software as a service (Saas) platform is the industry leading solution for quickly creating a connected data ecosystem.
  • 🏴‍☠️ Play has just published a new victim : Waterborne Environmental: United States