Ransomware Update – 2025-11-07

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Malicious VS Code Extension (“susvsex”):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: A malicious extension (“susvsex”), apparently created with AI assistance, was published on the official Microsoft VS Code marketplace. It contains basic, built-in ransomware functionality.
    • Targets: Developers using the Visual Studio Code software.
    • Decryption Status: No known decryption method; the extension is considered a test with basic capabilities.
    • Source: https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code.html

  • Nevada Government Attack:

    • New Encrypted File Extension: Not specified in the article.
    • Attack Methods: An unnamed ransomware gang breached and encrypted government systems, though the initial access vector was not detailed.
    • Targets: The State of Nevada, affecting 60 state agencies and disrupting critical public services.
    • Decryption Status: The victim has completed its recovery; no public decryption tool was mentioned.
    • Source: https://www.bleepingcomputer.com/news/security/how-a-ransomware-gang-encrypted-nevada-governments-systems/

  • Google Maps Review Bombing Extortion:

    • New Encrypted File Extension: Not applicable (reputation-based extortion).
    • Attack Methods: Threat actors post a large number of fake, negative reviews on a business’s Google Maps profile (“review bombing”) and then demand a ransom to remove them.
    • Targets: Businesses listed on Google Maps.
    • Decryption Status: Not applicable. Google has released a dedicated form for businesses to report such extortion attempts.
    • Source: https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html

Observations and Further Recommendations

  • Multiple ransomware groups, including Qilin, Stormous, Incransom, Akira, Anubis, and others, are highly active, publicly listing numerous victims from diverse sectors such as government, healthcare, legal services, and manufacturing.
  • Attack vectors are expanding into new territories, with a malicious Visual Studio Code extension demonstrating that threat actors are targeting developers through trusted software marketplaces.
  • Extortion tactics are diversifying. The “review bombing” of businesses on Google Maps shows a shift towards leveraging reputational damage, not just data encryption, to demand ransoms.
  • To mitigate these threats, organizations should maintain rigorous security practices, including regular offline backups, strict access controls with multi-factor authentication, prompt patching of vulnerabilities, and thorough vetting of third-party applications and extensions.

News Details

  • Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities: Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.
  • How a ransomware gang encrypted Nevada government’s systems: The State of Nevada has completed its recovery from a ransomware attack it suffered on August 24, 2025, which impacted 60 state agencies, disrupting critical services related to health and public safety.
  • Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts: Google on Thursday said it’s rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments.
  • AI-Slop ransomware test sneaks on to VS Code marketplace: A malicious extension with basic ransomware capabilities seemingly created with the help of AI, has been published on Microsoft’s official VS Code marketplace.
  • U.S. Congressional Budget Office hit by suspected foreign cyberattack: The U.S. Congressional Budget Office (CBO) confirms it suffered a cybersecurity incident after a suspected foreign hacker breached its network, potentially exposing sensitive data.
  • SonicWall Confirms State-Sponsored Hackers Behind September Cloud Backup Breach: SonicWall has formally implicated state-sponsored threat actors as behind the September security breach that led to the unauthorized exposure of firewall configuration backup files.
  • Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362: Cisco on Wednesday disclosed that it became aware of a new attack variant that’s designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.