Ransomware Update – 2025-10-30

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration for double extortion. The group claims to have stolen sensitive corporate data, including financial records, employee and client PII (Social Security Numbers, driver’s licenses), contracts, and legal documents.
    • Targets: A diverse range of organizations including The Gerson (manufacturing), RPI Roofing (construction), Clarion Safety Systems, Bell Engineering, Ritz Clark & Ben-Asher LLP (law firm), Wright-Gardner Insurance, Sadler Gibb & Associates (accounting), Bridgehead I.T. (IT services), and G & H Distributing (agricultural supply).
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware leak site announcements for “The Gerson,” “RPI Roofing,” “Clarion Safety Systems,” “Bell Engineering,” “Ritz Clark & Ben-Asher,” “Wright-Gardner Insurance,” “Sadler Gibb & Associates,” “Bridgehead I.T,” and “G & H Distributing.”

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion. Most announcements did not provide specific details on the stolen data.
    • Targets: A high volume of diverse entities, many identified only by domain. Victims include Price & Ramey Insurance, Super Value, Truro Cannabis, Altimedia, Enessance Holdings Co., Ltd, Malibu Boats Australia, and Lorber, Greenfield & Polito, LLP, among others.
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware leak site announcements for various victims including “Price & Ramey Insurance,” “Super Value,” and “Truro Cannabis.”

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Large-scale data exfiltration for extortion. The group claims to have stolen over 20 TB of data from one victim, including databases, SSNs, client IDs, and full credit histories.
    • Targets: Evolve Mortgage Services, DILOSA FOOD COMPANIES, and Alios Finance Group.
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware leak site announcements for “Evolve Mortgage Services,” “DILOSA FOOD COMPANIES,” and “Alios Finance Group.”

  • Rhysida:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration of highly sensitive information, including patient records containing SSNs, diagnoses, and medical histories.
    • Targets: Spindletop Center (non-profit healthcare) and Gemini Group.
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware leak site announcements for “Spindletop Center” and “Gemini Group.”

  • Blacknevas:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration, claiming to have stolen over 500 GB of data, including a customer database with over 9 million records and employee PII.
    • Targets: Yateem Group (optical retail and other brands).
    • Decryption Status: No known public decryption tool.
    • Source: Ransomware leak site announcement for “Yateem Group.”

Observations and Further Recommendations

  • A significant volume of ransomware activity was reported from numerous threat groups, with Akira and Qilin demonstrating particularly high operational tempos by listing many victims in a short period.
  • The attacks showcase a wide and opportunistic targeting strategy, impacting a diverse range of industries globally, including finance, healthcare, legal, manufacturing, IT, and retail.
  • The primary attack vector detailed in these reports is data exfiltration followed by threats of public leaks (double extortion), underscoring the importance of not only preventing initial access but also detecting and stopping data exfiltration in progress.

News Details

  • ThreatsDay Bulletin: DNS Poisoning Flaw, Supply-Chain Heist, Rust Malware Trick and New RATs Rising: The comfort zone in cybersecurity is gone. Attackers are scaling down, focusing tighter, and squeezing more value from fewer, high-impact targets. At the same time, defenders face growing blind spots — from spoofed messages to large-scale social engineering.
  • PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs: Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers’ machines.
  • Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices: Cybersecurity researchers are calling attention to a spike in automated attacks targeting PHP servers, IoT devices, and cloud gateways by various botnets such as Mirai, Gafgyt, and Mozi.
  • New AI-Targeted Cloaking Attack Tricks AI Crawlers Into Citing Fake Info as Verified Facts: Cybersecurity researchers have flagged a new security issue in agentic web browsers like OpenAI ChatGPT Atlas that exposes underlying artificial intelligence (AI) models to context poisoning attacks.
  • Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics: Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks.
  • 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux: Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems.
  • Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack: Threat actors are actively exploiting multiple security flaws impacting Dassault Systèmes DELMIA Apriso and XWiki, according to alerts issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and VulnCheck.
  • New TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves: A group of academic researchers from Georgia Tech, Purdue University, and Synkhronix have developed a side-channel attack called TEE.Fail that allows for the extraction of secrets from the trusted execution environment (TEE) in a computer’s main processor.
  • Microsoft: DNS outage impacts Azure and Microsoft 365 services: Microsoft is suffering an ongoing DNS outage affecting customers worldwide, preventing them from logging into company networks and accessing Microsoft Azure and Microsoft 365 services.
  • PhantomRaven attack floods npm with credential-stealing packages: An active campaign named ‘PhantomRaven’ is targeting developers with dozens of malicious npm packages that steal authentication tokens, CI/CD secrets, and GitHub credentials.
  • Advertising giant Dentsu reports data breach at subsidiary Merkle: Japanese advertising giant Dentsu has disclosed that its U.S.-based subsidiary Merkle suffered a cybersecurity incident that exposed staff and client data.
  • Microsoft says it’s recovering after Azure outage took down 365, Xbox, and Starbucks: Microsoft Azure, the company’s cloud computing service, has experienced an outage just one week after issues with AWS took out swaths of the internet. The issues impacted Microsoft’s services that run on Azure, including Microsoft 365, Xbox, and even Minecraft.
  • Data Leak Outs Students of Iran’s MOIS Training Academy: A school for the Iranian state hackers of tomorrow has itself, ironically, been hacked.
  • 🏴‍☠️ Ransomhouse has just published a new victim : ASKUL: ASKUL Corporation, founded in 1963 and headquartered in Tokyo, is a leading Japanese e-commerce company serving both businesses (B2B) and consumers (B2C).
  • 🏴‍☠️ Akira has just published a new victim : The Gerson: Gerson is a company specializing in high-quality respiratory protection products, including NIOSH and FDA approved respirators, masks, and filter systems.
  • 🏴‍☠️ Akira has just published a new victim : RPI Roofing: RPI Roofing specializes in providing professional commercial roofing services for businesses in the southeastern United States.
  • 🏴‍☠️ Rhysida has just published a new victim : Spindletop Center: Spindletop Center Spindletop Center is a non-profit healthcare organization focused on providing behavioral healthcare, as well as programs for individuals with intellectual and developmental disabilities and substance use recovery services.
  • 🏴‍☠️ Incransom has just published a new victim : Evolve Mortgage Services: Introducing Evolve Mortgage Services, the old company name mrn3.com. We stole more than 20 TB of company data. Including 2TB of databases.
  • 🏴‍☠️ Blacknevas has just published a new victim : Yateem Group: 500+ gigabytes and over 100,000+ files available. The Yateem Group owns nearly 100 optical outlets in addition to many other brands and facilities. A complete customer database with all contacts has been downloaded, including phones and emails of more than 9000000+ records.