Ransomware Update – 2025-10-06

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Cl0p Ransomware:

    • New Encrypted File Extension: Not specified. The primary goal noted is data theft.
    • Attack Methods: Actively exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle’s E-Business Suite, which allows for unauthenticated remote code execution.
    • Targets: Organizations using Oracle E-Business Suite.
    • Decryption Status: The threat focuses on data exfiltration and extortion. Oracle has released an emergency patch to prevent the attack.
    • Source: Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration for extortion. The group claims to have stolen significant amounts of data, including financial records and personal information.
    • Targets: Natoli Engineering (pharmaceutical tooling), Saskarc Inc. (industrial), and Field and Goldberg, LLC (law firm).
    • Decryption Status: No information on decryption is available; the focus is on the data leak threat.
    • Source: Ransomware leak site publications (Mon, 06 Oct 2025).

  • IncRansom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion.
    • Targets: A diverse range of small to medium-sized businesses and organizations, including WELLSLANDSCAPING.COM, Cobra Rolamentos e Autopeças (auto parts distributor), Terex (environmental consulting), Hillside Public Library, Stalker Radar (manufacturing), and Ouellet Construction.
    • Decryption Status: No information on decryption is available.
    • Source: Ransomware leak site publications (Sun, 05 Oct 2025 – Mon, 06 Oct 2025).

  • XWorm Malware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Distributed via phishing campaigns. The backdoor malware has been updated with a new ransomware module and over 35 plugins.
    • Targets: General users targeted through phishing emails.
    • Decryption Status: No known decryption method mentioned.
    • Source: XWorm malware resurfaces with ransomware module, over 35 plugins

  • Other Ransomware Activity:

    • Beast: Leaked data from Perennial (cable supplier) and The Methodist Church of Southern Africa.
    • ShinyHunters: Claimed attacks on Red Hat, Inc., S&P Global, and CIC Vietnam, focusing on data exfiltration.
    • AlphaLocker: Targeted Liberty Dental Care & Dentures, claiming to have stolen 58GB of data.
    • Nova: Claimed attacks on “Dnc” (business consulting) and SD Soluciones Digitales (printing), exfiltrating 130GB and 80GB of data, respectively.
    • Worldleaks: Leaked data from German jewelry retailer CHRIST Juweliere.
    • Qilin: Targeted German automation company Rihatec.de and uhlcompany.com.
    • Thegentlemen: Claimed an attack on the Philippine logistics company 2GO Group.
    • Securotrop: Targeted Mill Bay Marine Group, claiming to have 536 GB of data.

Observations and Further Recommendations

  • A significant volume of data leak notifications from various ransomware groups (Akira, IncRansom, Beast, etc.) indicates a continued focus on data exfiltration and double extortion tactics.
  • The targets are highly diverse, spanning industries like manufacturing, legal, retail, and non-profits, demonstrating that no sector is immune to these attacks.
  • High-severity vulnerabilities in widely-used enterprise software, such as the Oracle E-Business Suite flaw (CVE-2025-61882) exploited by Cl0p, remain a critical attack vector. This underscores the need for immediate patching and robust vulnerability management programs.
  • The re-emergence of older malware like XWorm, now equipped with ransomware capabilities, highlights the trend of threat actors evolving their tools. Phishing remains a primary and effective initial access method.
  • Recommendations: Organizations should prioritize applying security patches, conduct regular employee training to recognize phishing attempts, and maintain secure, offline data backups to mitigate the impact of an attack.

News Details

  • Zimbra Zero-Day Exploited to Target Brazilian Military via Malicious ICS Files: A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files,
  • Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks: Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle
  • XWorm malware resurfaces with ransomware module, over 35 plugins: New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year. […]
  • Oracle patches EBS zero-day exploited in Clop data theft attacks: Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks. […]
  • Hackers exploited Zimbra flaw as zero-day using iCalendar files: Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year. […]
  • ParkMobile pays… $1 each for 2021 data breach that hit 22 million: ParkMobile has finally wrapped up a class action lawsuit over the platform’s 2021 data breach that hit 22 million users. But there’s a catch: victims are receiving compensation in the form of a $1 in-app credit, which they must claim manually. And, it comes with an expiration date. […]
  • Leaked Apple iPad Pro M5 benchmark shows massive improvements: A new leaked benchmark shows Apple’s alleged M5 chip on an iPad, and it’s almost as fast as a desktop CPU. […]
  • ChatGPT social could be a thing, as leak shows direct messages support: OpenAI doesn’t want ChatGPT to remain just a chatbot for interacting with a large language model. […]
  • OpenAI rolls out GPT Codex Alpha with early access to new models: OpenAI’s Codex is already making waves in the vibe coding vertical, and it’s now set to get even better. […]
  • AMD teams up with OpenAI to challenge Nvidia’s AI chip dominance: AMD is partnering with OpenAI to provide six gigawatts worth of processors for AI data centers, a move that challenges Nvidia’s AI chip market dominance. The five-year agreement aims to help OpenAI bolster its infrastructure to meet growing computational demands for AI applications like ChatGPT, starting with a gigawatt deployment of AMD Instinct MI450 GPUs in the second half of 2026, according to AMD’s press release.
  • Sora provides better control over videos featuring your AI self: Sora now lets you rein in your AI doubles, giving you more say on how and where deepfake versions of you make an appearance on the app. The update lands as OpenAI hurries to show it actually cares about its users’ concerns as an all-too-predictable tsunami of AI slop threatens to take over the internet.
  • While you were partying with your Steam Deck, GPD studied the cord: Handheld makers are throwing paint at the wall to see what sticks. They apparently can’t compete with the Steam Deck on price, so they’re trying giant handhelds, 3D handhelds, more familiar and comfortable handhelds, and premium handhelds with Switch-like detachable controllers that double as mice. Many now cost $1,000 or more.
  • Sam Altman and Jony Ive’s secret device won’t be ‘your weird AI girlfriend’: OpenAI and designer Jony Ive are trying to solve a number of technical challenges before releasing their mysterious AI gadget, according to a Financial Times report. Two of the challenges include figuring out the palm-sized device’s “personality” and how often it should talk.
  • Jane Goodall’s death triggered the premiere of Netflix’s new show: For the last several years Netflix has been quietly banking episodes of a new show called Famous Last Words, interviews with famous people entering their twilight years. The catch is that episodes will only air after the subject passes away. The full list of interviewees is a closely guarded secret, but last week Netflix quietly posted the premiere episode featuring Jane Goodall.
  • If you can get past the terrible logo, Audacity 4 looks pretty great: Rebrands rarely get much love. That backlash can be especially strong if you’re giving a facelift to a decades-old piece of software beloved by nerds around the globe. So, it was no surprise that when Audacity revealed its new logo people on the internet got a little worked up.
  • Roland is finally honoring its legacy instead of just cashing in on it: If the only thing Roland ever released was the TR-808, the company would still deserve a place in the music gear hall of fame. The 808 is arguably the most important instrument since the creation of the electric guitar.
  • I’ve tested the latest Switch 2 controllers, and this one is the best: If you choose to get an extra controller for your Nintendo Switch 2, you can spend a lot — and get a lot in return. Buying Nintendo’s own $89.99 Switch 2 Pro Controller, for instance, will net you the console’s only wireless controller with a 3.5mm headphone jack, not to mention great rumble and a slick design.
  • The developers behind a hit sausage-dueling game hope Steam launch will take it furter: Life is a series of battles, and I just lost my last one against four gyoza on a skewer. It was an unexpected blow, because honestly, who could have expected me – a springy, respectably proportioned hot dog – to lose against a seemingly inflexible spear of small, unassuming dumplings? This is my struggle in Sausage Legend: Arena, a mobile game with a very simple premise: duel with other players’ sausages and win.
  • Version History is live — here’s how to find it: We’ve been working on a new show for the last few months, called Version History, and the first episode is now live! It’s called “Hoverboards: so hot right now,” and it’s an hour-long tour of the biggest rideable gadget of the 2010s.
  • 🏴‍☠️ Beast has just published a new victim : Perennial: Perennial Cable is a global supplier specializing in custom cable assembly solutions, including wire harnesses for various applications such as automotive, industrial, and commercial sectors.
  • 🏴‍☠️ Akira has just published a new victim : Natoli Engineering: Natoli Engineering is a renowned leader in tablet compression tooling with over fifty years of expertise in manufacturing high-quality punches and dies. […] We are ready to upload more than 936GB data.
  • 🏴‍☠️ Akira has just published a new victim : Saskarc: Saskarc Inc’s focus industries include petro chemical, oil and gas refineries, mining, power generation, and food processing. […] We are ready to upload more than 54GB data.
  • 🏴‍☠️ Akira has just published a new victim : Field and Goldberg: Field and Goldberg, LLC is a boutique law firm located in Chicago specializing in real estate taxation, transactions, and litigation. […] We are ready to upload more than 232GB data.
  • 🏴‍☠️ Worldleaks has just published a new victim : CHRIST Juweliere: [AI generated] CHRIST Juweliere is a Germany-based jewelry retailer that sells an extensive range of premium-quality jewelry and timepieces.
  • 🏴‍☠️ Incransom has just published a new victim : WELLSLANDSCAPING.COM: We provide a comprehensive array of services for both commerical and residential properties. In addition to traditional lawn and garden care we offer onsite consultation, landscape design, installation, and maintenance.
  • 🏴‍☠️ Beast has just published a new victim : The Methodist Church of Southern Africa: The Methodist Church of Southern Africa is dedicated to proclaiming the gospel of Jesus Christ for healing and transformation.
  • 🏴‍☠️ Alphalocker has just published a new victim : www.libertydentaltown.com: Liberty Dental Care & Dentures provides general dentistry 7100 Sennet Pl, Suite E Liberty Township, Ohio 45069 […] 58Gb data has been stolen
  • 🏴‍☠️ Nova has just published a new victim : Dnc: dnc is an innovative company that offers a range of services including business consulting, facility management, eBusiness solutions, and GDPR compliance. […] we have 130GB of data
  • 🏴‍☠️ Nova has just published a new victim : SD Soluciones Digitales: Soluciones Digitales is a company that operates in the Commercial Printing industry. […] 80GB data include invoices and resources , billing , Documents , reports etc
  • 🏴‍☠️ Shinyhunters has just published a new victim : Red Hat, Inc.: [AI generated] Red Hat, Inc. is a leading American multinational software company that provides open-source software products to businesses. It became a subsidiary of IBM in 2019.
  • 🏴‍☠️ Incransom has just published a new victim : Cobra Rolamentos e Autopeças: Cobra Rolamentos e Autopeças é um distribuidor brasileiro de autopeças, motopeças e rolamentos, com forte atuação no mercado de reposição automotiva.
  • 🏴‍☠️ Incransom has just published a new victim : terex: Terex Environmental Group is a leading Canadian consulting firm providing environmental technical guidance and regulatory liaison.
  • 🏴‍☠️ Shinyhunters has just published a new victim : S&P Global (spglobal.com): [AI generated] S&P Global is an American company that provides high-quality market intelligence in the form of credit ratings, analytics, data, and insights to help customers make informed decisions.
  • 🏴‍☠️ Shinyhunters has just published a new victim : CIC Vietnam: [AI generated] CIC Vietnam is a Vietnamese consultancy firm that helps its clients develop business strategies and investment projects.
  • 🏴‍☠️ Thegentlemen has just published a new victim : 2GO Group: 2GO Group, Inc. (2GO) is a leading Philippine logistics and transportation solutions provider, majority-owned by SM Investments Corp. with Trident Investments as another key shareholder.
  • 🏴‍☠️ Incransom has just published a new victim : hillsidelibrary.org: Hillside Public Library offers a number of options for patrons blind or visually impaired. Our Kurzweil software scans in any typewritten document and reads the document aloud to the patron.
  • 🏴‍☠️ Incransom has just published a new victim : stalkerradar.com: Applied Concepts, Inc., d.b.a. Stalker Radar, was founded as a small contract engineering and manufacturing firm in 1975.
  • 🏴‍☠️ Incransom has just published a new victim : ocmaine.com: Ouellet Construction is a family-led construction company specializing in commercial construction services in Southern Maine and the broader New England area.
  • 🏴‍☠️ Qilin has just published a new victim : Rihatec.de: Rihatec Systemlösungen, Germany – Automation of control systems, innovative solutions, cooperation with large corporations. Sounds impressive, doesn’t it?
  • 🏴‍☠️ Qilin has just published a new victim : uhlcompany.com: Imagine that the building where you live or work has gone haywire. You can’t turn the lights on or off, the heating and air conditioning systems are out of order, and the video cameras have stopped focusing on the right areas.
  • 🏴‍☠️ Securotrop has just published a new victim : Mill Bay Marine Group: Status: AWAITING Size: 536 GB
  • 🏴‍☠️ Qilin has just published a new victim : AIP Asset Management: AIP Asset Management, KoreanLeak3 – is a global financial error. A company with a market-leading specialization in alternative investment strategies.
  • 🏴‍☠️ Killsec has just published a new victim : KillSec 4.0: N/A