Ransomware Update – 2025-10-11

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • LockBit / Babuk:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Abusing the Velociraptor digital forensics and incident response (DFIR) tool to maintain persistent access to compromised networks.
    • Targets: General corporate networks.
    • Decryption Status: No specific information available.
    • Source: [URL not provided in source data]

  • ShinyHunters (Extortion Group):

    • New Encrypted File Extension: Not applicable (data extortion group).
    • Attack Methods: Data theft and public leaks via their BreachForums portal, which was recently seized by the FBI. Threats of extortion remain active.
    • Targets: Broad range of corporations, including recent victims Engie Resources, Albertsons Companies, Inc., and Qantas Airways Limited. Also linked to Salesforce extortion.
    • Decryption Status: Not applicable as data is leaked, not encrypted.
    • Source: [URL not provided in source data]

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion.
    • Targets: Recently claimed victims include Artan Holding (Qatar), Grupo Caparrós (Spain), and Uvalde Consolidated Independent School District (USA).
    • Decryption Status: No information available.
    • Source: [URL not provided in source data]

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, threatening to publish financial data and sensitive personal information (passports, SSNs).
    • Targets: Announced victims include Five Star Mechanical Inc. and Carlson Building Maintenance.
    • Decryption Status: No information available.
    • Source: [URL not provided in source data]

  • Other Active Ransomware/Extortion Groups:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Numerous groups (including Incransom, Play, Devman, Sinobi, Brotherhood, Dragonforce) are actively exfiltrating data and demanding ransoms to prevent its publication. Devman explicitly listed demands of $200k and $250k.
    • Targets: A wide array of global organizations across sectors like healthcare (Brevard Skin, Central Jersey Medical Center), logistics (Den Hartogh Logistics), public utilities (Tonga Power), retail (American Home Furniture), and government (forestry.gov.jm).
    • Decryption Status: No information available.
    • Source: [URL not provided in source data]

Observations and Further Recommendations

  • Misuse of Legitimate Tools: A notable trend is the abuse of defensive security tools for offensive purposes. Threat actors are using the Velociraptor DFIR tool in ransomware attacks to gain and maintain persistence, highlighting the need to monitor for anomalous use of legitimate software.
  • High Volume of Activity: Ransomware and data extortion remain highly active, with a continuous stream of victims being published by numerous gangs (Qilin, Akira, Play, etc.). This affects a diverse range of industries worldwide, from small businesses to large corporations and public entities.
  • Law Enforcement Disruption: Despite the high volume of attacks, law enforcement continues to disrupt cybercriminal operations, as demonstrated by the FBI’s seizure of the BreachForums portal used for extortion and data leaks.

News Details

  • Hackers now use Velociraptor DFIR tool in ransomware attacks: Threat actors have started to use the Velociraptor digital forensics and incident response (DFIR) tool in attacks that deploy LockBit and Babuk ransomware.
  • Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks: In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks.
  • FBI takes down BreachForums portal used for Salesforce extortion: The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.
  • The Fight Against Ransomware Heats Up on the Factory Floor: Ransomware gangs continue to set their sights on the manufacturing industry, but companies are taking steps to protect themselves, starting with implementing timely patch management protocols.
  • 🏴‍☠️ Shinyhunters has just published a new victim : Engie Resources: [AI generated] Engie Resources is a subsidiary of Engie, a global energy player. The company provides commercial and industrial customers with comprehensive energy solutions, including electricity supply, natural gas, renewable energy, and demand response capabilities.
  • 🏴‍☠️ Shinyhunters has just published a new victim : Albertsons Companies, Inc.: [AI generated] Albertsons Companies, Inc. is one of the largest food and drug retailers in the United States, serving millions of customers each week.
  • 🏴‍☠️ Shinyhunters has just published a new victim : Qantas Airways Limited: [AI generated] Qantas Airways Limited is an Australian international and domestic airline service. Founded in 1920, it is the third oldest airline in the world.
  • 🏴‍☠️ Devman has just published a new victim : forestry.gov.jm: Ransom: 200000 USD
  • 🏴‍☠️ Qilin has just published a new victim : Artan Holding: Artan Holding is a Qatari family-owned holding company with a diverse portfolio of leading businesses in the Education, Real Estate, and Industrial sectors operating primarily in Qatar.
  • 🏴‍☠️ Qilin has just published a new victim : www.ucisd.net: Uvalde Consolidated Independent School District, USA – is a public school district based in Uvalde, Texas, US.
  • 🏴‍☠️ Anubis has just published a new victim : Den Hartogh Logistics: Data leak at one of the world’s leading logistics service providers
  • 🏴‍☠️ Akira has just published a new victim : Five Star MechanicalInc.: Five Star Mechanical Inc. specializes in providing commercial and industrial HVAC services, plumbing, piping, and sheet metal fabrication. We are ready to upload 30gb of corporate documents. Employee and owners personal information (passports, DLs, SSNs, address, emails and so on), customers files, projects, financials and other operating files.
  • 🏴‍☠️ Akira has just published a new victim : Carlson Building Maintenance: Carlson Building Maintenance specializes in commercial cleaning services throughout the Midwest… We are ready to upload more than 20GB of there data. There are lots of essential corporate documents such as: financial data… employees and customers information…
  • 🏴‍☠️ Incransom has just published a new victim : https://www.tongapower.to/: TPL was established in July 2008 to act as the concessionaire in Tonga’s concession based electricity regulation regime. TPL generates, distributes, and sells to all our commercial and domestic customers in Tongatapu, Vavaú, Haápai and Éua.
  • 🏴‍☠️ Play has just published a new victim : Accelerated: United States
  • 🏴‍☠️ Play has just published a new victim : Elmer W. Davis: United States