Ransomware Update – 2025-10-29

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Abuses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, a technique designed to evade detection by traditional security software.
    • Targets: General Windows environments. Recently listed victims include entities in the legal, biosystems, and manufacturing sectors.
    • Decryption Status: No known decryption method mentioned in the report.
    • Source: BleepingComputer

  • Various Ransomware Groups (Data Leak Activity):

    • New Encrypted File Extension: Not applicable, as the focus is on data exfiltration and extortion.
    • Attack Methods: Data theft followed by publication on dedicated leak sites to pressure victims into paying a ransom. Active groups include Akira, Blacknevas, Incransom, Play, Rhysida, and others.
    • Targets: A wide range of global industries, including IT services (Bridgehead I.T.), legal (Bergman Dacey Goldsmith), education (Bellflower Unified School District), finance (Alios Finance Group), and retail (Yateem Group).
    • Decryption Status: Not applicable; the primary threat is data exposure.
    • Source: Ransomware Leak Site Monitor

Observations and Further Recommendations

  • A key trend is the evolution of ransomware evasion techniques, exemplified by the Qilin group’s use of the Windows Subsystem for Linux (WSL). This cross-platform approach complicates detection for standard security tools focused solely on Windows executables.
  • Ransomware-as-a-Service (RaaS) and extortion operations continue at a high pace, with numerous groups constantly listing new victims. This indicates a persistent and widespread threat to organizations across all sectors.
  • It is recommended that organizations enhance security by monitoring for anomalous subsystem usage (like WSL), ensuring robust endpoint detection and response (EDR) capabilities, and maintaining secure, offline backups to mitigate the impact of both data encryption and exfiltration attacks.

News Details

  • Discover Practical AI Tactics for GRC — Join the Free Expert Webinar: Artificial Intelligence (AI) is rapidly transforming Governance, Risk, and Compliance (GRC). It’s no longer a future concept—it’s here, and it’s already reshaping how teams operate.
  • 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux: Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems.
  • Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack: Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and VulnCheck.
  • New TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves: A group of academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack called TEE.Fail that allows for the extraction of secrets from the trusted execution environment (TEE) in a computer’s main processor.
  • New Android Trojan ‘Herodotus’ Outsmarts Anti-Fraud Systems by Typing Like a Human: Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover (DTO) attacks.
  • Researchers Expose GhostCall and GhostHire: BlueNoroff’s New Malware Chains: Threat actors tied to North Korea have been observed targeting the Web3 and blockchain sectors as part of twin campaigns tracked as GhostCall and GhostHire.
  • Why Early Threat Detection Is a Must for Long-Term Business Growth: In cybersecurity, speed isn’t just a win — it’s a multiplier. The faster you learn about emerging threats, the faster you adapt your defenses, the less damage you suffer, and the more confidently your business keeps scaling.
  • Is Your Google Workspace as Secure as You Think it is?: If you’re the first security or IT hire at a fast-growing startup, you’ve likely inherited a mandate that’s both simple and maddeningly complex: secure the business without slowing it down.
  • Chrome Zero-Day Exploited to Deliver Italian Memento Labs’ LeetAgent Spyware: The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky.
  • SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats: A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025.
  • Windows 11 KB5067036 update rolls out Administrator Protection feature: Microsoft has released the KB5067036 preview cumulative update for Windows 11 24H2 and 25H2, which begins the rollout of the Administrator Protection cybersecurity feature and an updated Start Menu.
  • Python rejects $1.5M grant from U.S. govt. fearing ethical compromise: The Python Software Foundation (PSF) has withdrawn its $1.5 million grant proposal to the U.S. National Science Foundation (NSF) due to funding terms forcing a compromise on its commitment to diversity, equity, and inclusion.
  • Advertising giant Dentsu reports data breach at subsidiary Merkle: Japanese advertising giant Dentsu has disclosed that its U.S.-based subsidiary Merkle suffered a cybersecurity incident that exposed staff and client data.
  • Qilin ransomware abuses WSL to run Linux encryptors in Windows: The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools.
  • CISA warns of two more actively exploited Dassault vulnerabilities: The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes’ DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution.
  • Microsoft: Copilot now lets you build apps, automate workflows: Microsoft announced today a new Microsoft 365 Copilot agent called App Builder that can help users create and deploy apps “in minutes.”
  • Microsoft sued for allegedly tricking millions into Copilot M365 subscriptions: The Australian Competition and Consumer Commission (ACCC) is suing Microsoft for allegedly misleading 2.7 million Australians into paying for the Copilot AI assistant in the Microsoft 365 service.
  • TEE.Fail attack breaks confidential computing on Intel, AMD, NVIDIA CPUs: Academic researchers developed a side-channel attack called TEE.Fail, which allows extracting secrets from the trusted execution environment in the CPU, the highly secure area of a system, such as Intel’s SGX and TDX, and AMD’s SEV-SNP.
  • Google Chrome to warn users before opening insecure HTTP sites: Google announced today that the Chrome web browser will ask for permission by default before connecting to public, insecure HTTP websites, beginning with Chrome 154 in October 2026.
  • BiDi Swap: The bidirectional text trick that makes fake URLs look real: Attackers are abusing bidirectional text to make fake URLs look real, reviving a decade-old browser flaw now fueling new phishing tricks. Varonis reveals how the “BiDi Swap” technique works and what organizations need to watch out for.
  • New Atroposia malware comes with a local vulnerability scanner: A new malware-as-a-service (MaaS) platform named Atroposia provides cybercriminals a remote access trojan that combines capabilities for persistent access, evasion, data theft, and local vulnerability scanning.
  • New Herodotus Android malware fakes human typing to avoid detection: A new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software.
  • Google disputes false claims of massive Gmail data breach: Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts.
  • Say it with me: Windows is the problem with Windows handhelds: It’s been nearly two weeks since Microsoft, a multi-trillion dollar company, shipped a $600 handheld “Xbox” that can’t be relied on to sleep, wake, or hold a charge while asleep in my tests.
  • Withings’ urine scanning health tracker is now available for $350: Withings first announced its U-Scan, a non-invasive device you install in your toilet to track various health metrics, at CES 2023 two years ago. The device is finally launching in the US and Europe today with two different cartridges.
  • The best foldable phone you can buy: A foldable phone isn’t for the faint of heart. They’re generally heavier, pricier, and have less capable cameras than a standard slab-style phone. They’re also still not as durable as regular smartphones, though they’re not nearly as fragile as they once were.
  • Senators propose banning teens from using AI chatbots: A new piece of legislation could require AI companies to verify the ages of everyone who uses their chatbots. Sens. Josh Hawley (R-MO) and Richard Blumenthal (D-CT) introduced the GUARD Act on Tuesday, which would also ban everyone under 18 from accessing AI chatbots.
  • YouTube will age-restrict more content showing ‘graphic violence’ in video games: YouTube is updating its policy to age-restrict more content containing video game scenes with “graphic violence,” the company announced on Tuesday. The update will go into effect on November 17th.
  • Amazon is ditching MMOs and cranking out party games: As part of Amazon’s mass layoffs announced today, the company is making “significant” changes to its gaming division, including halting much of its work on first-party AAA MMOs, according to a memo from Steve Boom, VP of audio, Twitch, and games.
  • 🏴‍☠️ Blacknevas has just published a new victim : Yateem Group: 500+ gigabytes and over 100,000+ files availableThe Yateem Group owns nearly 100 optical outlets in addition to many other brands and facilities. A complete customer database with all contacts has been downloaded, including phones and emails of more than 9000000+ records.
  • 🏴‍☠️ Akira has just published a new victim : Bridgehead I.T: Founded in 1999, Bridgehead I.T. Inc. provides customized Information Technology (IT) solutions for businesses across all industries. We are going to upload company data soon. You will find financial data (audit, payment details, invoices), personal financial details of employees, accounting files.
  • 🏴‍☠️ Akira has just published a new victim : G & H Distributing: GH Distributing Inc. is a prominent agricultural and industrial supply distributor in South Dakota, known for its retail and wholesale operations. This company will soon be known as another one that doesn’t care of employee information.
  • 🏴‍☠️ Incransom has just published a new victim : Alios Finance Group: Alios Finance Group , is a leading operator in Africa providing specialized financial solutions to Professionals and Individuals. We are operating in 9 Sub-Saharan countries. 100GB of fresh data (last 3 years).
  • 🏴‍☠️ Qilin has just published a new victim : Lorber, Greenfield & Polito, LLP: N/A
  • 🏴‍☠️ Rhysida has just published a new victim : Gemini Group: Gemini Group
  • 🏴‍☠️ Play has just published a new victim : Henry Raymond & Thompson: United States
  • 🏴‍☠️ Qilin has just published a new victim : Microbix Biosystems: N/A
  • 🏴‍☠️ Akira has just published a new victim : BK Technologies: BK Technologies mission is to remain deeply rooted in the critical communications industry for all military, first responders, and public safety heroes. We will upload 25gb of corporate documents soon.
  • 🏴‍☠️ Akira has just published a new victim : Bergman Dacey Goldsmith: BDG Law Group is a full-service law firm based in Los Angeles, specializing in business litigation, construction law, real estate, and various other legal services. We will upload 110 GB of corporate documents soon.
  • 🏴‍☠️ Rhysida has just published a new victim : Bellflower Unified School District: Bellflower Unified School District Headquartered Bellflower, California, Bellflower Unified School District is a general education district that offers K-12 classes.