Ransomware Update – 2025-10-12

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • LockBit:

    • New Encrypted File Extension: Not specified in the article.
    • Attack Methods: Abusing the legitimate open-source digital forensics and incident response (DFIR) tool “Velociraptor” for malicious activities post-compromise.
    • Targets: General targets; specific entities not mentioned in this campaign.
    • Decryption Status: No known public decryptor for recent versions.
    • Source: [Source from title: “Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks”]

  • SonicWall VPN Compromise:

    • New Encrypted File Extension: N/A
    • Attack Methods: Widespread compromise of SonicWall SSL VPN devices using valid credentials, suggesting credentials were stolen previously rather than brute-forced.
    • Targets: Organizations using SonicWall SSL VPNs, with over 100 accounts reportedly impacted across multiple customer environments.
    • Decryption Status: N/A (This is an access/compromise event, not an encryption attack).
    • Source: [Source from title: “Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts”]

  • Gladinet Zero-Day Exploitation:

    • New Encrypted File Extension: N/A
    • Attack Methods: Active exploitation of a zero-day vulnerability (CVE-2025-11371) that allows a local attacker to access system files without authentication.
    • Targets: Users of Gladinet CentreStack and Triofox file-sharing software.
    • Decryption Status: N/A (Vulnerability exploitation, not a direct ransomware campaign).
    • Source: [Source from title: “Hackers exploiting zero-day in Gladinet file sharing software”]

  • Multiple Ransomware Gangs (Victim Announcements):

    • New Encrypted File Extension: Not specified in announcements.
    • Attack Methods: Data exfiltration followed by public naming and shaming on leak sites to extort victims.
    • Targets: A diverse range of global organizations across multiple sectors. Notable gangs and recent victims include Qilin (Team Schierl Companies), Incransom (Balfour Beatty), Radiant (Kido Schools, Minnesota Hospital), Nova (ShapeCorp), and Shinyhunters (Albertsons, Qantas).
    • Decryption Status: No public decryption tools are available for these active extortion campaigns.
    • Source: Ransomware leak site monitoring reports.

Observations and Further Recommendations

  • Threat actors continue to abuse legitimate IT and security tools (e.g., Velociraptor by the LockBit group) to blend in with normal network activity and evade detection.
  • The exploitation of vulnerabilities in public-facing infrastructure, such as VPNs (SonicWall) and file-sharing software (Gladinet), remains a critical initial access vector for cyberattacks.
  • Ransomware groups maintain a high operational tempo, targeting a wide and opportunistic range of industries, including manufacturing, healthcare, retail, logistics, and government services.
  • It is crucial for organizations to prioritize timely patching of all internet-facing systems, implement multi-factor authentication (MFA) on all remote access services, and monitor for unusual use of legitimate administrative tools.

News Details

  • Experts Warn of Widespread SonicWall VPN Compromise Impacting Over 100 Accounts: Cybersecurity company Huntress on Friday warned of “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments. “Threat actors are authenticating into multiple accounts rapidly across compromised devices,” it said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”
  • Hackers Turn Velociraptor DFIR Tool Into Weapon in LockBit Ransomware Attacks: Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.
  • Windows 11 23H2 Home and Pro reach end of support in 30 days: Microsoft has reminded customers again today that systems running Home and Pro editions of Windows 11 23H2 will stop receiving security updates next month. […]
  • Hackers exploiting zero-day in Gladinet file sharing software: Threat actors are exploiting a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and Triofox products, which allows a local attacker to access system files without authentication. […]
  • Cybersecurity For Dummies, 3rd Edition eBook FREE for a Limited Time: In today’s hyper-connected world, cyber threats are more sophisticated and frequent than ever – ransomware, data breaches, and social engineering scams, targeting everyone from individuals to Fortune 500 companies. Right now, you can grab “Cybersecurity For Dummies, 3rd Edition” – a $29.99 value – completely FREE for a limited time. […]
  • Welcome to the ‘papers, please’ internet: This is The Stepback, a weekly newsletter breaking down one essential story from the tech world. For more on the downward spiral of the internet, follow Adi Robertson. The Stepback arrives in our subscribers’ inboxes at 8AM ET. Opt in for The Stepback here. How it started Back in 2018, two years after the UK government decided to implement mandatory hard age gates on adult websites, it floated an idea called the “porn pass.”
  • ChatGPT is becoming an everything app: Hi, friends! Welcome to Installer No. 101, your guide to the best and Verge-iest stuff in the world. (If you’re new here, welcome, hope you like silly accessories, and also you can read all the old editions at the Installer homepage.) This week, I’ve been reading about Intel factories and Nobel Prize winners and ATM thieves…
  • Apple ends support for Clips video-editing app: Apple’s Clips video editing app is no more. It debuted in 2017 as a way to stitch together videos with music, text, and filters with a clear focus on sharing to social media. Over the years Apple added AR features and more advanced video editing tools. But recently updates had slowed to a trickle.
  • How Verge readers, and writers, are managing our kids’ screen time: This week the Pew Research Center published a study about how parents managed screen time for their kids 12 and under. The results were not particularly surprising (or enlightening, if we’re being honest). A full 90 percent of parents said their children watched TV, and 61 percent said their kids interact with smartphones at least on occasion.
  • The AirPods 4 and Lego’s brick-ified Grogu are our favorite deals this week: Although Amazon’s fall Prime Day event has come to an end, there are still some lingering discounts available. That means you have yet another chance to pick up an early gift for the holidays, or just something for yourself. Right now, for instance, Apple’s base AirPods 4 are sitting at their lowest price to date, as is Lego’s adorable Star Wars Grogu set.
  • American politics has devolved into shitposting and aura farming: When Donald Trump’s administration issued orders to send the National Guard into Portland, Oregon, a person in a frog balloon suit showed up at the city’s ICE facility, where protesters had gathered. After the frog humped the air in front of a throng of federal law enforcement – many dressed in head-to-toe camo with military-grade helmets, gas masks, and riot shields – the feds slowly began to retreat.
  • Dreams of Another feels like a fever dream: Dreams of Another is like playing an art-filled dream. It’s filled with unexpected events, disjointed acts, and hazy landscapes. Scenes end abruptly, and then you unexpectedly pick up the thread later on. You’ll meet talking angel statues and fish that want to escape their home and swim to the ocean.
  • Is the Coros Nomad really an adventure watch?: Coros’ Nomad is marketed as a “go-anywhere, do-anything” adventure watch. It’s got GPS and offline maps and will track a lot of activities, from yoga to bouldering. There’s an “Adventure Journal,” which the marketing copy promises will help you record “every step, catch, and summit.”
  • Hollywood has no idea what to do about AI: This is an excerpt of Sources by Alex Heath, a newsletter about AI and the tech industry, syndicated just for The Verge subscribers once a week. This week, I got an up-close look at how far apart Silicon Valley and Hollywood are on what to do about AI.
  • OpenAI allegedly sent police to an AI regulation advocate’s door: Will OpenAI send police to your door if you advocate for AI regulation? Nathan Calvin, a lawyer who shapes policies surrounding the technology at Encode AI, claims OpenAI did just that. “One Tuesday night, as my wife and I sat down for dinner, a sheriff’s deputy knocked on the door to serve me a subpoena from OpenAI,” Calvin writes on X.
  • 1Password Addresses Critical AI Browser Agent Security Gap: The security company looks to tackle new authentication challenges that could lead to credential leakage, as enterprises increasingly leverage AI browser agents.
  • RondoDox Botnet: an ‘Exploit Shotgun’ for Edge Vulns: RondoDox takes a hit-and-run, shotgun approach to exploiting bugs in consumer edge devices around the world.
  • The Fight Against Ransomware Heats Up on the Factory Floor: Ransomware gangs continue to set their sights on the manufacturing industry, but companies are taking steps to protect themselves, starting with implementing timely patch management protocols.
  • 🏴‍☠️ Qilin has just published a new victim : Team Schierl Companies: Team Schierl Companies is an organization of retail businesses and real estate development. TSC was founded in 1956 and is currently headquartered in Stevens Point, Wisconsin.
  • 🏴‍☠️ Incransom has just published a new victim : Balfour Beatty: Balfour Beatty US, founded in 1933 and headquartered in Dallas, Texas, is a commercial construction company that offers services for construction management, general contracting, cost consulting, and design-building.
  • 🏴‍☠️ Radiant has just published a new victim : Kido Schools: We integrate advances in design, technology, and pedagogy to create the highest quality nurseries and preschools.
  • 🏴‍☠️ Radiant has just published a new victim : Magna Foodservice: Magna Foodservice is a leading supplier of a wide range of food products, including halal poultry, drinks, food packaging, and hygiene products.
  • 🏴‍☠️ Radiant has just published a new victim : Minnesota Hospital: Unknown. Contact us within 7 days or we will expose your hospitals name, add the view more button and start our pressure process.
  • 🏴‍☠️ Radiant has just published a new victim : Retail Texas: Unknown. Contact within 7 days or we will publish your name, add the view more button and begin our pressure process.
  • 🏴‍☠️ Radiant has just published a new victim : UK Rail Services: Unknown. You will be contacted shortly. 3 Days for contact or else we will begin our process.
  • 🏴‍☠️ Nasirsecurity has just published a new victim : Taldor: This is a warning… you remain in danger.
  • 🏴‍☠️ Everest has just published a new victim : Streebo: [AI generated] “Streebo” is an established global IT solutions company, specializing in AI-powered digitization services and products.
  • 🏴‍☠️ Brotherhood has just published a new victim : Integlia: Contains: 66 Gb compressed Files
  • 🏴‍☠️ Brotherhood has just published a new victim : Citizens’ Committee for Children of New York: Contains: 45 Gb compressed Files
  • 🏴‍☠️ Bqtlock has just published a new victim : Adore UAE: adoreuae.com www.adoreuae.com
  • 🏴‍☠️ Bqtlock has just published a new victim : EPS FUJ Private School UAE: epsfuj.com www.epsfuj.com
  • 🏴‍☠️ Anubis has just published a new victim : Maine Oxy: Financial data breach
  • 🏴‍☠️ Nova has just published a new victim : ShapeCorp: Shape Corp. is a global leader in automotive engineering and manufacturing… [[ Data extracted include Engineering design files, Marketing and presentation assets, CAD, mechanical designs, CNC programs…]]
  • 🏴‍☠️ Worldleaks has just published a new victim : Mandom Corporation: [AI generated] Mandom Corporation is a Japanese company specializing in the production and sale of cosmetics, perfume, and health products.
  • 🏴‍☠️ Handala has just published a new victim : RedWanted Alert: As promised, every Saturday, we unveil a new chapter in exposing those complicit in the machinery of the Zionist regime.
  • 🏴‍☠️ Shinyhunters has just published a new victim : Engie Resources: [AI generated] Engie Resources is a subsidiary of Engie, a global energy player. The company provides commercial and industrial customers with comprehensive energy solutions…
  • 🏴‍☠️ Shinyhunters has just published a new victim : Albertsons Companies, Inc.: [AI generated] Albertsons Companies, Inc. is one of the largest food and drug retailers in the United States, serving millions of customers each week.
  • 🏴‍☠️ Shinyhunters has just published a new victim : Qantas Airways Limited: [AI generated] Qantas Airways Limited is an Australian international and domestic airline service. Founded in 1920, it is the third oldest airline in the world.
  • 🏴‍☠️ Dragonforce has just published a new victim : Express Logistics and Distribution Ltd: We expect Express Logistics and Distribution Ltd to contact us to prevent the publication of a large volume of private data over many years.
  • 🏴‍☠️ Kairos has just published a new victim : www.ms-security-ltd.com/Cyprus/1.48TB: Unknown – MS Security & Personnel
  • 🏴‍☠️ Devman has just published a new victim : r**urology.com: Ransom: 250k 300gb
  • 🏴‍☠️ Devman has just published a new victim : forestry.gov.jm: Ransom: 200000 USD
  • 🏴‍☠️ Sinobi has just published a new victim : Complete Milling Lab: Complete Dental Lab is a family-owned dental laboratory based in South Florida, specializing in a wide range of custom restorations.
  • 🏴‍☠️ Sinobi has just published a new victim : Paleontological Research Institution: The Paleontological Research Institution, or PRI, is a paleontological organization in Ithaca, New York with a mission including both research and education.
  • 🏴‍☠️ Safepay has just published a new victim : empirico-mr.com: Empirico Research is a boutique global market-research and data-collection firm founded around 2016.
  • 🏴‍☠️ Safepay has just published a new victim : tango-hotel.com.ar: The Argentina Tango Hotel (often listed as Tango de Mayo / Argentina Tango in booking platforms) is a boutique city …
  • 🏴‍☠️ Safepay has just published a new victim : bridgenetcommunicationsrgv.com: BridgeNet Communications is a regional low-voltage and structured-cabling specialist serving the Rio Grande Valley and parts of Central Texas.
  • 🏴‍☠️ Safepay has just published a new victim : krne.com: Krne Law Firm a small to mid-size private legal practice, perhaps specializing in general civil law, real estate, business contracts, …
  • 🏴‍☠️ Safepay has just published a new victim : glatten.de: Located in Glatten, J. Schmalz GmbH is a long-established, family-run engineering group specialising in vacuum technology and automation for handling …
  • 🏴‍☠️ Safepay has just published a new victim : portofuneralhomes.net: Porto Funeral Homes (Porto / Porto Funeral Home) operates funeral and memorial services in New Haven County, Connecticut, with facilities …
  • 🏴‍☠️ Safepay has just published a new victim : ggw.net: Glenn Graydon Wright LLP (GGW) is an established Oakville, Ontario accounting and advisory firm (founded 1958) that provides assurance, tax, …
  • 🏴‍☠️ Safepay has just published a new victim : cmlmachinery.com: CML Machinery is a Canadian distributor and supplier of metal-forming and woodworking equipment — press brakes, shears, tube benders, CNC …
  • 🏴‍☠️ Dragonforce has just published a new victim : Downes: Proudly managing FMCG brands for over 35 years. With over 94% coverage of the major grocery retailers, Downes services Woolworths, Coles, Independent Supermarkets…
  • 🏴‍☠️ Sinobi has just published a new victim : Bellingham Vet Center: Bellingham Animal Hospital specializes in preventive care. We strongly recommend regular check-ups for your animal to ensure better health and a longer life.
  • 🏴‍☠️ Sinobi has just published a new victim : Central Jersey Medical Center: Central Jersey Medical Center (CJMC) is a Federally Qualified Health Center (FQHC) that provides primary care, dental, and preventive health services for you and your family.
  • 🏴‍☠️ Sinobi has just published a new victim : Sunbulah Group: Sunbulah Group was founded in 1980. This company provides the manufacturing of frozen fruits, vegetables, meats and pastry products.
  • 🏴‍☠️ Pear has just published a new victim : Brevard Skin: Dedicated to providing comprehensive dermatological care to address a wide range of skin, hair, and nail conditions