Ransomware Update – 2025-11-02

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • BADCANDY:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploitation of a critical vulnerability (CVE-2023-20198) in Cisco IOS XE devices to deploy a malicious implant.
    • Targets: Unpatched Cisco IOS XE devices, with a specific warning issued for Australian entities.
    • Decryption Status: No known method mentioned; the report is a preventative warning.
    • Source: ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability

  • Play Ransomware:

    • New Encrypted File Extension: Not specified in leak announcement.
    • Attack Methods: Implies data exfiltration for double extortion; specific methods are not detailed.
    • Targets: Professional’s Choice Sports, Encore Repair Services, Tavo Packaging Inc, and Wright Tool, all US-based companies.
    • Decryption Status: Not applicable (Data leak threat).
    • Source: 🏴‍☠️ Play has just published a new victim : Professional’s Choice Sports

  • Devman Ransomware:

    • New Encrypted File Extension: Not specified in leak announcement.
    • Attack Methods: Data exfiltration with ransom demands ranging from $100k to $500k.
    • Targets: A Mexican government entity (juntalocal.cdmx.gob.mx) and other commercial websites.
    • Decryption Status: Not applicable (Data leak threat).
    • Source: 🏴‍☠️ Devman has just published a new victim : juntalocal.cdmx.gob.mx

  • Incransom Ransomware:

    • New Encrypted File Extension: Not specified in leak announcement.
    • Attack Methods: Data exfiltration, claiming to have stolen confidential client files and medical records from a law firm.
    • Targets: TMF Logistics and a law firm (aa-llp.com).
    • Decryption Status: Not applicable (Data leak threat).
    • Source: 🏴‍☠️ Incransom has just published a new victim : aa-llp.com (aa.law)

  • University of Pennsylvania Breach:

    • New Encrypted File Extension: Not applicable (Data theft and extortion).
    • Attack Methods: Unauthorized access to university email systems to send threatening emails and claim data theft.
    • Targets: University of Pennsylvania, including its students and alumni.
    • Decryption Status: Not applicable.
    • Source: ‘We got hacked’ emails threaten to leak University of Pennsylvania data

  • Other Active Extortion Groups:

    • Summary: Several other groups, including Handala, Qilin, Worldleaks, and Obscura, have also announced new victims on their leak sites.
    • Targets: A diverse range of international companies in sectors such as construction (Red Phoenix Construction), pharmaceuticals (Kobayashi), technology (Lidera Network), and manufacturing (New Toyo International Holdings Ltd).
    • Methods: These groups primarily focus on data exfiltration and public shaming to extort victims.

Observations and Further Recommendations

  • A wide variety of ransomware and data extortion groups remain highly active, targeting a broad spectrum of industries globally, including government, education, legal, and manufacturing sectors.
  • The BADCANDY campaign highlights a critical trend where attackers exploit known, severe vulnerabilities in widely used network infrastructure like Cisco devices. This underscores the importance of immediate patching.
  • Ransomware operations are now almost universally data-theft-focused (“double extortion”), where the primary threat is the public release of stolen sensitive data rather than just file encryption.
  • Recommendation: Organizations must prioritize diligent patch management for all internet-facing systems. Robust security measures, including multi-factor authentication, network segmentation, and regular off-site data backups, are essential for mitigating the risk and impact of these attacks.

News Details

  • ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability: The Australian Signals Directorate (ASD) has issued a bulletin about ongoing cyber attacks targeting unpatched Cisco IOS XE devices in the country with a previously undocumented implant known as BADCANDY.
  • OpenAI Unveils Aardvark: GPT-5 Agent That Finds and Fixes Code Flaws Automatically: OpenAI has announced the launch of an “agentic security researcher” that’s powered by its GPT-5 large language model (LLM) and is programmed to emulate a human expert capable of scanning, understanding, and patching code.
  • Google confirms AI search will have ads, but they may look different: Google Ads are not going anywhere. Eventually, AI Search results on Google and likely other properties will have ads.
  • Windows 11 Build 26220.7051 released with “Ask Copilot” feature: Windows 11 Build 26220.7051 is now rolling out to testers in the Windows Insider Program, and there are at least three new features, including Ask Copilot in the taskbar.
  • China-linked hackers exploited Lanscope flaw as a zero-day in attacks: China-linked cyber-espionage actors tracked as ‘Bronze Butler’ (Tick) exploited a Motex Lanscope Endpoint Manager vulnerability as a zero-day to deploy an updated version of their Gokcpdoor malware.
  • Windows 11 tests shared Bluetooth audio support, but only for AI PCs: If you have two headphones, speakers, earbuds, or any other Bluetooth hardware, you can now use both simultaneously on a Copilot+ PC.
  • ‘We got hacked’ emails threaten to leak University of Pennsylvania data: The University of Pennsylvania suffered a cybersecurity incident on Friday, where students and alumni received a series of offensive emails from various University email addresses, claiming that data was stolen in a breach.
  • Microsoft Edge gets scareware sensor for faster scam detection: Microsoft is introducing a new scareware sensor for the Microsoft Edge web browser, which helps detect scam pages more quickly and ensures that Defender SmartScreen blocks them faster.
  • Google’s Pixel Watch 3 and Anker’s two-headed USB-C cable are our favorite deals this week: Google’s last-gen Pixel Watch 3 is on sale for $199.99 ($100 off) for a limited time. There are plenty of good smartwatches out there, and Google’s last-gen Pixel Watch 3 is one of them.
  • Ayaneo Phone confirmed in a teaser featuring retro Remake branding: Ayaneo is best known for its retro gaming handhelds, but the company has now confirmed its first phone will be coming soon.
  • LG’s brilliant B5 OLED TV is already down to just $530 for Black Friday: Best Buy’s latest doorbuster deal nets you a cool $770 off the regular price.
  • You wish your phone had the Oppo Find X9 Pro’s battery life: The Find X9 Pro features a large battery, but it’s still a pretty slender device. Whenever I review a phone, one of the first things I do after setting it up is charge it to full and then just… let it run, using it as my only phone for as long as I can.
  • The Playdate is a great indie puzzle machine: We’re living in a wonderful period for puzzle games. Seemingly everyone, from The New York Times to Linkedin, has fun puzzles to play, so every morning I have plenty of options to accompany my first coffee of the day.
  • GTA VI developer accused of union busting in mass firings: Rockstar Games, the developer of Grand Theft Auto VI, fired between 30 to 40 employees on Thursday, as previously reported by Bloomberg.
  • Here are the shipping and return policies for all the big-name retailers: With the holidays quickly approaching, everyone will soon be on the hunt for gifts and the fastest way to get them.
  • Microsoft releases an Xbox Full Screen Experience preview for the MSI Claw: Microsoft’s new Xbox Full Screen Experience (FSE), which adds a console-like navigation experience to Windows PC gaming handhelds, is coming to another family of devices: the MSI Claw.
  • Windows 11 tests Bluetooth audio sharing that connects two headsets at once: Microsoft is bringing shared audio to Windows 11, allowing you to stream audio across two pairs of wireless headphones, speakers, earbuds, or hearing aids.
  • Dolby Atmos arrives in the new, affordable China-exclusive Hyundai Elexio: Dolby Atmos, the dominant name behind spatial audio in theaters and the home, has become a fixture in luxury cars from the likes of Mercedes-Benz, Rivian, Cadillac, and Lucid priced upwards of $70,000.
  • UNC6384 Targets European Diplomatic Entities With Windows Exploit: The spear-phishing campaign uses fake European Commission and NATO-themed lures to trick diplomatic personnel into clicking malicious links.
  • Ribbon Communications Breach Marks Latest Telecom Attack: The US telecom company disclosed that suspected nation-state actors first gained access to its network in December of last year, though it’s unclear if attackers obtained sensitive data.
  • 🏴‍☠️ Devman has just published a new victim : mceicl.com: Ransom: 50gb 100k
  • 🏴‍☠️ Play has just published a new victim : Professional’s Choice Sports: United States
  • 🏴‍☠️ Handala has just published a new victim : The Saturday Files: Saturdays may be ordinary on your calendar, but for us, they mark a day of revelation, a day when we shake the foundations of your artificial calm with the tremor of truth.
  • 🏴‍☠️ Qilin has just published a new victim : Red Phoenix Construction: N/A
  • 🏴‍☠️ Worldleaks has just published a new victim : Kobayashi: [AI generated] Kobayashi Pharmaceutical Co. Ltd. is a Japanese company that specializes in the manufacturing and sale of over-the-counter drugs, oral hygiene products, and healthcare items.
  • 🏴‍☠️ Obscura has just published a new victim : New Toyo International Holdings Ltd: Revenue: $221.7kk | Leak Size: 2 GB | Status: Pending | Time Left: 6d 17h 27m 32s
  • 🏴‍☠️ Incransom has just published a new victim : TMF Logistics: 39,308,400,640 bytes