Ransomware Update – 2025-10-25

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Safepay:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; victims are published on their leak site.
    • Targets: A diverse range of international companies, including Construction Donald Provost (construction), Xortec GmbH (German tech distributor), MINO Group (Japanese manufacturer), Bannenberg & Rowell (luxury yacht design), and The Greenhouse (Boston apartments).
    • Decryption Status: No known method yet.
    • Source: Ransomware group’s public leak announcements.

  • Chaos:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; victims are published on their leak site.
    • Targets: Hanson Professional Services Inc., a national consulting firm specializing in engineering and planning.
    • Decryption Status: No known method yet.
    • Source: Ransomware group’s public leak announcements.

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; victims are published on their leak site.
    • Targets: Various organizations including Doha British School (education), ClearCare Periodontal & Implant Centre (healthcare), IREM companies (real estate), and Gericke AG (Swiss manufacturing group).
    • Decryption Status: No known method yet.
    • Source: Ransomware group’s public leak announcements.

  • Ransomhouse:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; victims are published on their leak site.
    • Targets: OCI International Holdings (investment firm), Kurogane Kasei Co. (Japanese chemical company), and S Food Co., Ltd. (meat producer).
    • Decryption Status: No known method yet.
    • Source: Ransomware group’s public leak announcements.

  • Worldleaks:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; victims are published on their leak site.
    • Targets: Summit Hotel Properties (US REIT), Essilor of America (optical lens manufacturer), and Peruvian Connection (fashion retailer).
    • Decryption Status: No known method yet.
    • Source: Ransomware group’s public leak announcements.

  • Other Active Groups:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; new victims were published by multiple other groups.
    • Targets: Victims were also claimed by Silentransomgroup (Hall Estill law firm), Tengu (Le MULTI LABORATOIRE LC2A, UniCursos Brazil), Beast (Danthi Comunicacao Integrada), Lynx (Simmers Crane Design & Services), and Kryptos (Adichunchanagiri Institute Of Technology).
    • Decryption Status: No known method yet.
    • Source: Ransomware groups’ public leak announcements.

Observations and Further Recommendations

  • Ransomware groups remain highly active, targeting a wide and diverse range of global industries including education, manufacturing, healthcare, legal services, and technology. The broad targeting suggests opportunistic attack strategies.
  • A report indicates that the percentage of companies paying ransoms has dropped significantly, which may cause threat actors to shift their tactics in response to decreasing profits.
  • Beyond ransomware, active exploitation of critical vulnerabilities is a major threat. A flaw in Microsoft Windows Server Update Service (WSUS) (CVE-2025-59287) and outdated WordPress plugins are being targeted in mass attacks.
  • It is crucial for organizations to prioritize timely patching of critical vulnerabilities in software and services to prevent initial access by attackers. Regularly updating all systems, including third-party plugins, is a key defensive measure.

News Details

  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation: The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of services across the world, according to new findings from Palo Alto Networks Unit 42.
  • Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation: Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.
  • APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign: A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT.
  • 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation: A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads.
  • Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack: Cybersecurity researchers have discovered a self-propagating worm that spreads via Visual Studio Code (VS Code) extensions on the Open VSX Registry and the Microsoft Extension Marketplace, underscoring how developers have become a prime target for attacks.
  • Hackers launch mass attacks exploiting outdated WordPress plugins: A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
  • Critical WSUS flaw in Windows Server now exploited in attacks: Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.
  • Fake LastPass death claims used to breach password vaults: LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process.
  • Toys “R” Us Canada warns customers’ info leaked in data breach: Toys “R” Us Canada has sent notices of a data breach to customers informing them of a security incident where threat actors leaked customer records they had previously stolen from its systems.
  • Insider Threats Loom while Ransom Payment Rates Plummet: The percentage of companies choosing to pay ransoms dropped significantly, while threat actors shift their tactics in response to decreasing profits.
  • 🏴‍☠️ Safepay has just published a new victim : constructiondprovost.com: Construction Donald Provost is a regional general contracting firm established in Mont-Tremblant that specialises in high-quality residential and light-commercial construction, …
  • 🏴‍☠️ Chaos has just published a new victim : hanson-inc.com: Hanson Professional Services Inc. is a national consulting firm that specializes in engineering, planning, and allied services.
  • 🏴‍☠️ Silentransomgroup has just published a new victim : Hall Estill: Founded in 1966 in Tulsa, Oklahoma, Hall Estill is a full-service law firm with clients ranging from F…
  • 🏴‍☠️ Qilin has just published a new victim : Doha British School: Doha British School, Qatar – is one of the leading British international schools in Qatar, operating in the country since 1997.
  • Neato’s cloud is shutting down, leaving its robovacs stuck in manual mode: Two years after US-based Neato Robotics closed up shop in 2023, its robot vacuum cleaners have reached the end of the road (or rather, hallway). Users are receiving emails notifying them that their Neato robovacs will no longer have access to cloud services.