Latest Ransomware News and New File Extensions
-
Qilin:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Healthcare (ClearCare Periodontal & Implant Centre, NurseSpring, Samera Health, CHDFS), Real Estate (IREM companies, Real Estate Specialists), Manufacturing (Gericke AG, Signet Armorlite, Inc.), Logistics (All Truck Transportation), Building Materials (Grupo Promasa), Printing (KHL Printing), and Food & Beverage (More Than Gourmet).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Ransomhouse:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Financial Services (OCI International Holdings), Chemicals (Kurogane Kasei Co.), Food Production (S Food Co., Ltd.), and Oil & Gas (United Lube Oil).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Killsec:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Government (National Institute of Administration, Romania), Retail/Supply (Badger Popcorn, Economy Restaurant Equipment, J AND S Electrical), Financial/Investment (FAAB Invest Advisors), Fintech (DUC App), and Software/IT Services (iCare Software, Vanan Online Services).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Tengu:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Education (UniCursos, Brazil), Hospitality (FOOD & MUSIC MANAGEMENT SL), Food Manufacturing (Al Rimal Group, STAR LÉGUMES), and Petrochemicals (Qatargas and Tar Company, Iran).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Lynx:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Engineering/Services (simmerscrane.com) and IT Services (ozsoft.com.au).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Anubis:
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: Legal services (Goodfellow & Schuettlaw, Paterson & Dowding Family Lawyers).
- Decryption Status: No known free decryption tool.
- Source: Source data provided in the prompt.
-
Other Groups (Beast, Crypto24, Kryptos, Nova, Embargo):
- New Encrypted File Extension: Not specified.
- Attack Methods: Not specified.
- Targets: A diverse range of sectors including Communications (Danthi Comunicacao Integrada by Beast), Education (Adichunchanagiri Institute Of Technology by Kryptos), Hospitality (The Laxmi Niwas Palace by Nova), and Technology (ACTi.com by Embargo). Crypto24’s victim was partially redacted.
- Decryption Status: No known free decryption tool for any of these groups.
- Source: Source data provided in the prompt.
Observations and Further Recommendations
- A wide variety of ransomware groups remain highly active, targeting a diverse and global range of industries including healthcare, finance, manufacturing, legal, and education. This indicates no sector is immune to attack.
- Threat actors are actively exploiting vulnerabilities in public-facing platforms. The attacks on over 250 Magento stores using the ‘SessionReaper’ flaw (CVE-2025-54236) highlight the critical need for timely patching.
- Alongside financially motivated ransomware attacks, state-sponsored campaigns from groups like North Korea’s Lazarus and Iran’s MuddyWater continue to target organizations for espionage and data theft, often focusing on strategic sectors like defense.
- Organizations should prioritize patching known exploited vulnerabilities, particularly in internet-facing systems like e-commerce platforms and endpoint management tools. Regular security awareness training and maintaining robust, tested offline backup procedures are essential for resilience against these ongoing threats.
News Details
- 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation: A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads.
- Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack: Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.
- North Korean Hackers Lure Defense Engineers with Fake Jobs to Steal Drone Secrets: Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job.
- Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw: E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours.
- Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Cyberattacks, CISA Confirms: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) catalog, stating it has been actively exploited in the wild.
- Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign: The Iranian nation-state group known as MuddyWater has been attributed to a new campaign that has leveraged a compromised email account to distribute a backdoor called Phoenix to various organizations across the Middle East and North Africa (MENA) region, including over 100 government entities.
- Windows Server emergency patches fix WSUS bug with PoC exploit: Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code.
- Toys “R” Us Canada warns customers’ info leaked in data breach: Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems.
- Fear the ‘SessionReaper’: Adobe Commerce Flaw Under Attack: CVE-2025-54236 is a critical flaw in Adobe Commerce (formerly Magento) that allows attackers to remotely take over sessions on the e-commerce platform.
- 🏴☠️ Beast has just published a new victim : Danthi Comunicacao Integrada: With a senior team and over 130 clients, Danthi Comunicacao Integrada believes in building close, long-term, and trust-based relationships with all its partners.
- 🏴☠️ Lynx has just published a new victim : simmerscrane.com: Simmers Crane Design & Services Company was founded in 1958 by Charles Simmers, former Chief Engineer with Koppers Co. and Vice President of Engineering with Morgan Engineering Company.
- 🏴☠️ Qilin has just published a new victim : ClearCare Periodontal & Implant Centre: The ClearCare Periodontal & Implant Centre was attacked on 13 of October 2025. At the time of the attack, critical data on customers and their employees was uploaded.
- 🏴☠️ Kryptos has just published a new victim : Adichunchanagiri Institute Of Technology: Educational Institute – 2500 Students – 150 Staff
- 🏴☠️ Ransomhouse has just published a new victim : OCI International Holdings: OCI International Holdings Limited (stock code: 0329.HK) is a Hong Kong Stock Exchange-listed investment holding company, incorporated in the Cayman Islands in 2001.
- 🏴☠️ Anubis has just published a new victim : Paterson & Dowding Family Lawyers: Law firm data breach