Ransomware Update – 2025-10-26

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Nova:

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Data exfiltration (100GB claimed) and public extortion.
    • Targets: Papsud, a French office products distributor.
    • Decryption Status: Data has been published; no known decryption method.
    • Source: Sourced from ransomware leak site monitoring feed.

  • Akira:

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Data exfiltration and extortion, threatening to upload corporate documents, HR files, and client information.
    • Targets: Precision Machined Products (US oil & gas supplier) and MetroWest Community FCU (US financial credit union).
    • Decryption Status: Data has been published; no known decryption method.
    • Source: Sourced from ransomware leak site monitoring feed.

  • Qilin:

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Data exfiltration and public extortion.
    • Targets: A diverse group including Essential Cabinetry Group (US manufacturer), City of Sugar Land (US municipality), Zacho-Lind (Danish construction), Kaufman & Stigger (US law firm), and Omrin (Dutch waste management).
    • Decryption Status: Data has been published; no known decryption method.
    • Source: Sourced from ransomware leak site monitoring feed.

  • Everest:

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Data exfiltration and public extortion.
    • Targets: Air Arabia (UAE airline) and Svenska Kraftnät (Swedish national electricity grid operator).
    • Decryption Status: Data has been published; no known decryption method.
    • Source: Sourced from ransomware leak site monitoring feed.

  • Safepay:

    • New Encrypted File Extension: Not specified in the news.
    • Attack Methods: Data exfiltration and public extortion.
    • Targets: An international list including Construction Donald Provost (Canada), Xortec GmbH (Germany), MINO Group (Japan), Bannenberg & Rowell (UK), and The Greenhouse apartments (USA).
    • Decryption Status: Data has been published; no known decryption method.
    • Source: Sourced from ransomware leak site monitoring feed.

  • Other Active Groups:

    • Chaos: Targeted Hanson Professional Services Inc. (US engineering firm).
    • Silentransomgroup: Targeted Hall Estill (US law firm).
    • Tengu: Targeted Le MULTI LABORATOIRE LC2A (French laboratory).
    • Handala (Hacktivist Group): Announced a data leak targeting high-ranking Israeli engineers and scientists, distinct from typical financially motivated ransomware.
    • Source: Sourced from ransomware/hacktivist leak site monitoring feeds.

Observations and Further Recommendations

  • A significant number of ransomware groups (Nova, Akira, Qilin, Everest, etc.) are actively targeting a wide array of global industries, including critical infrastructure (energy), government, finance, manufacturing, and legal services.
  • The primary tactic observed is data exfiltration followed by extortion via public leak sites, emphasizing the threat of data breaches over file encryption alone.
  • Other cybersecurity news highlights prevalent initial access vectors that enable these attacks, such as large-scale smishing campaigns, novel OAuth token-stealing phishing attacks (‘CoPhish’), and the exploitation of unpatched vulnerabilities in common software like WordPress plugins and Windows Server.
  • To mitigate risk, organizations should prioritize timely patching of critical vulnerabilities, enhance security awareness training to defend against sophisticated phishing, and implement robust data monitoring to detect exfiltration attempts.

News Details

  • Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Operation: The threat actors behind a large-scale, ongoing smishing campaign have been attributed to more than 194,000 malicious domains since January 1, 2024, targeting a broad range of services across the world, according to new findings from Palo Alto Networks Unit 42.
  • New CoPhish attack steals OAuth tokens via Copilot Studio agents: A new phishing technique dubbed ‘CoPhish’ weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains.
  • Hackers launch mass attacks exploiting outdated WordPress plugins: A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE).
  • Microsoft Issues Emergency Patch for Critical Windows Server Bug: Microsoft initially fixed CVE-2025-59287 in the WSUS update mechanism in the October 2025 Patch Tuesday release, but the company has now issued a second, out-of-band update for the flaw, which is under attack in the wild.
  • 🏴‍☠️ Nova has just published a new victim : Papsud: Papsud is a company that operates in the Office Products Retail & Distribution industry. It employs 10to19 people and has 1Mto5M of revenue. The company is headquartered in Marseille, Provence-Alpes-Cote d’Azur, France – 100GB of data taking include gov billing and costumers infos, invoices and IDs details etc
  • 🏴‍☠️ Akira has just published a new victim : Precision Machined Products: Precision Machined Products is a tier one supplier of downhole eq uipment for the Oil and Gas Industry. We are ready to upload more than 12gb of corporate documents.
  • 🏴‍☠️ Qilin has just published a new victim : Essential Cabinetry Group: Simpsonville, SC-based Essential Cabinetry is a manufacturer of custom, semi-custom and stock-plus kitchen and bathroom cabinetry that is sold primarily through the dealer channel.
  • 🏴‍☠️ Everest has just published a new victim : Air Arabia: [AI generated] Air Arabia is a low-cost airline that started its operations in 2003, based in Sharjah, United Arab Emirates. The company offers flights to over 170 destinations across the Middle East, North Africa, Asia, and Europe.
  • 🏴‍☠️ Everest has just published a new victim : Svenska Kraftnät: [AI generated] Svenska Kraftnät is a Swedish state-owned energy company responsible for the nation’s transmission grid for electricity.
  • 🏴‍☠️ Qilin has just published a new victim : City of Sugar Land: Founded as a sugar plantation in the early mid-20th century and incorporated in 1959, Sugar Land is a city in the state of Texas, in the United States.
  • 🏴‍☠️ Akira has just published a new victim : MetroWest Community FCU: MetroWest Community Federal Credit Union offers a range of personal banking services including checking and savings accounts, mobile banking, and various lending products such as vehicle, home, and personal loans.