Ransomware Update – 2025-10-17

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Rhysida:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Distributing fake Microsoft Teams installers signed with fraudulently revoked certificates. These installers deploy the Oyster backdoor, which is then used to deploy the Rhysida ransomware.
    • Targets: Broadly targeting organizations, including a German manufacturing company (GEIGER), a UK accounting firm (Sibbalds), and a US steel pipe manufacturer (Tex-Tube). The campaign was significant enough for Microsoft to revoke over 200 fraudulent certificates.
    • Decryption Status: No known method mentioned.
    • Source: https://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.html, https://www.bleepingcomputer.com/news/microsoft/microsoft-disrupts-ransomware-attacks-targeting-teams-users/

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: A wide variety of sectors globally, including the Spanish Tax Administration Agency (Agencia Tributaria), a US healthcare provider (Richmond Behavioral Health Authority), a Canadian pharma company (Dalton Pharma Services), a Canadian shipping agency (Montship), and multiple other consulting, construction, and manufacturing firms in North America.
    • Decryption Status: No known method mentioned.
    • Source: Victim announcements from ransomware monitoring sources.

  • Play:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified in the articles.
    • Targets: Multiple US-based companies including BMP Worldwide, Cellucap Manufacturing, Global Shop Solutions, and Legacy Manufacturing.
    • Decryption Status: No known method mentioned.
    • Source: Victim announcements from ransomware monitoring sources.

  • Other Ransomware Activity:

    • Blackshrantac: Published victims including SK shieldus (a technology security company) and Gulf Warranties LLC.
    • Anubis: Claimed an attack on Aussie Fluid Power, an Australian engineering company.
    • Devman: Listed the Embassy of Bolivia in DC and a US urology clinic as victims, demanding ransoms of $200k – $1.4M.
    • Nova: Targeted a Polish IT company (M3 Group), a Swiss startup (ShareP), and a Malaysian hospital (Regency Specialist Hospital).

Observations and Further Recommendations

  • Ransomware groups continue to be highly active, targeting a diverse range of industries and geographical locations. Qilin’s targeting of a government tax agency and a behavioral health authority demonstrates that critical public services remain high-value targets.
  • The Rhysida campaign highlights a sophisticated TTP (Tactic, Technique, and Procedure) involving the abuse of code-signing certificates to bypass security controls. This underscores the importance of verifying software authenticity even when it appears to be signed.
  • Recommendation: Organizations should prioritize employee training to spot phishing attempts disguised as legitimate software updates. Furthermore, security teams should implement application control policies to prevent the execution of unauthorized or untrusted installers and monitor for unusual certificate usage.

News Details

  • Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign: Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks. The certificates were “used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware,” the Microsoft Threat Intelligence team said in a post shared on X.
  • Microsoft disrupts ransomware attacks targeting Teams users: Microsoft has disrupted a wave of Rhysida ransomware attacks in early October by revoking over 200 certificates used to sign malicious Teams installers.
  • 🏴‍☠️ Rhysida has just published a new victim : GEIGER: GEIGER GEIGER Antriebstechnik is a leading manufacturer of innovative mechanical and electric drive solutions for sun protection products such as blinds, awnings, and shutters, employing over 250 staff.
  • 🏴‍☠️ Qilin has just published a new victim : Agencia Tributaria: The Spanish Tax Administration Agency (Agencia Tributaria) – is the revenue service of the Kingdom of Spain. The agency is responsible for the effective application of the national tax and customs systems and for those resources of other Publ…
  • 🏴‍☠️ Qilin has just published a new victim : Richmond Behavioral Health Authority: Richmond Behavioral Health Authority (RBHA) is a statewide organization dedicated to providing comprehensive mental health, mental retardation, substance abuse and prevention services to the residents of the City of Richmond. The organization…
  • 🏴‍☠️ Play has just published a new victim : BMP Worldwide: United States
  • 🏴‍☠️ Blackshrantac has just published a new victim : SK shieldus: [AI generated] “SK shieldus” is a technology company focused on mobile and web application security. They specialize in providing comprehensive security solutions by using Artificial Intelligence algorithms to identify and prevent potential threats.
  • 🏴‍☠️ Anubis has just published a new victim : Aussie Fluid Power: An Australian engineering leader has fallen victim to a cyberattack causing a data breach.
  • 🏴‍☠️ Devman has just published a new victim : www.om*nt.com: Ransom: 1400000 USD
  • 🏴‍☠️ Nova has just published a new victim : Regency Specialist Hospital: Founded in 2009, Regency Specialist Hospital is a tertiary care hospital located in the growing township of Bandar Seri Alam in Malaysia. Regency Specialist Hospital provides specialist inpatient and outpatient healthcare services supported by a full range of diagnostic, radiology and clinical laboratory services.
  • North Korean Hackers Use EtherHiding to Hide Malware Inside Blockchain Smart Contracts: A threat actor with ties to the Democratic People’s Republic of Korea (aka North Korea) has been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method.
  • Hackers Abuse Blockchain Smart Contracts to Spread Malware via Infected WordPress Sites: A financially motivated threat actor codenamed UNC5142 has been observed abusing blockchain smart contracts as a way to facilitate the distribution of information stealers, such as Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar, targeting both Windows and Apple macOS systems.
  • Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices: Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code. The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is described as an out-of-bounds write vulnerability.
  • Hackers exploit Cisco SNMP flaw to deploy rootkit on switches: Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
  • CISA: Maximum-severity Adobe flaw now exploited in attacks: CISA has warned that attackers are actively exploiting a maximum-severity vulnerability in Adobe Experience Manager to execute code on unpatched systems.