Ransomware Update – 2025-11-08

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • AI-Generated VS Code Extension (Ransomvibing):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: A malicious Visual Studio Code extension named “susvsex” was published to the official marketplace. It has basic ransomware capabilities, including data encryption and exfiltration, and appears to be generated with AI assistance.
    • Targets: Developers using Visual Studio Code.
    • Decryption Status: No known tool; the extension appears to be a test or proof-of-concept and does not hide its malicious nature.
    • Source: https://thehackernews.com/2025/11/vibe-coded-malicious-vs-code-extension.html

  • Clop Ransomware Group:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion via posts on its leak site.
    • Targets: Recently listed major entities including WASHINGTONPOST.COM, LOGITECH.COM, TRIMBLE.COM, KIRBYCORP.COM, and several others.
    • Decryption Status: No information on decryption; the group focuses on data leakage threats.
    • Source: Ransomware leak site monitoring.

  • Qilin Ransomware Group:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion.
    • Targets: Announced numerous new victims from various sectors, including Scouts Canada, SHRM New Mexico, Wasserverband Wulkatal, and Marine Turbine Technologies.
    • Decryption Status: No known decryption method.
    • Source: Ransomware leak site monitoring.

  • Akira Ransomware Group:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration with threats to leak sensitive corporate and personal information, including employee SSNs, passports, and medical data.
    • Targets: Claimed attacks on companies such as Soapy Joe’s Car Wash, Shands Elbert law firm, PLP SoCal, and Mold In Graphic Systems.
    • Decryption Status: No known decryption method.
    • Source: Ransomware leak site monitoring.

  • Medusa Ransomware Group:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, detailing the volume of stolen data (e.g., 1.21 TB from one victim).
    • Targets: High-profile victims listed include Simon Property Group, Clackamas Community College, LaRosa’s Pizzeria, and Oscars Group.
    • Decryption Status: No known decryption method.
    • Source: Ransomware leak site monitoring.

  • Malicious NuGet Packages (Logic Bombs):

    • New Encrypted File Extension: Not applicable (sabotage payload).
    • Attack Methods: Nine malicious packages were published to the NuGet repository with hidden “time bombs” set to trigger on specific dates in 2027 and 2028 to sabotage systems.
    • Targets: Database operations and Siemens S7 industrial control systems.
    • Decryption Status: This is a destructive payload, not encryption for ransom. No recovery method is mentioned.
    • Source: https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html

Observations and Further Recommendations

  • Ransomware groups like Clop, Qilin, Akira, and Medusa continue to be highly active, targeting a diverse range of industries including technology, retail, education, legal services, and public entities.
  • Software supply chain attacks remain a critical threat vector, with malicious packages discovered in developer ecosystems like NuGet and the VS Code marketplace. These attacks now include sophisticated time-delayed payloads.
  • Spyware is also being actively deployed through zero-day vulnerabilities, as seen in the LANDFALL campaign that exploited a flaw in Samsung devices to conduct surveillance.
  • Organizations should prioritize robust software supply chain security, implement timely patching for all systems to defend against zero-day exploits, and maintain immutable backups to mitigate the impact of data encryption and extortion attacks.

News Details

  • Samsung Mobile Flaw Exploited as Zero-Day to Deploy LANDFALL Android Spyware: A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a “commercial-grade” Android spyware dubbed LANDFALL in targeted attacks in the Middle East.
  • From Log4j to IIS, China’s Hackers Turn Legacy Bugs into Global Espionage Tools: A China-linked threat actor has been attributed to a cyber attack targeting an U.S. non-profit organization with an aim to establish long-term persistence, as part of broader activity aimed at U.S. entities that are linked to or involved in policy issues.
  • Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation: A set of nine malicious NuGet packages has been identified as capable of dropping time-delayed payloads to sabotage database operations and corrupt industrial control systems.
  • Enterprise Credentials at Risk – Same Old, Same Old?: Imagine this: Sarah from accounting gets what looks like a routine password reset email from your organization’s cloud provider. She clicks the link, types in her credentials, and goes back to her spreadsheet. But unknown to her, she’s just made a big mistake.
  • Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts: Google on Thursday said it’s rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative comments.
  • Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities: Cybersecurity researchers have flagged a malicious Visual Studio Code (VS Code) extension with basic ransomware capabilities that appears to be created with the help of artificial intelligence – in other words, vibe-coded.
  • Malicious NuGet packages drop disruptive ‘time bombs’: Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices.
  • Microsoft testing faster Quick Machine Recovery in Windows 11: Microsoft is testing a faster version of Quick Machine Recovery (QMR) and updated Smart App Control (SAC), allowing users to toggle it without requiring a Windows clean install.
  • QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own: QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
  • New LandFall spyware exploited Samsung zero-day via WhatsApp messages: A threat actor exploited a zero-day vulnerability in Samsung’s Android image processing library to deploy a previously unknown spyware called ‘LandFall’ using malicious images sent over WhatsApp.
  • Cisco: Actively exploited firewall flaws now abused for DoS attacks: Cisco warned this week that two vulnerabilities, which have been exploited in zero-day attacks, are now being abused to force ASA and FTD firewalls into reboot loops.
  • ID verification laws are fueling the next wave of breaches: ID laws are forcing companies to store massive amounts of sensitive data, turning compliance into a security risk. Acronis explains how integrated backup and cybersecurity platforms help MSPs reduce complexity and close the gaps attackers exploit.
  • Leak confirms Google Gemini 3 Pro and Nano Banana 2 could launch soon: Google is planning to ship two new models. One is Gemini 3, which is optimised for coding and regular use, and the second is Nano Banano 2 for generating realistic images.
  • U.S. Congressional Budget Office hit by suspected foreign cyberattack: The U.S. Congressional Budget Office (CBO) confirms it suffered a cybersecurity incident after a suspected foreign hacker breached its network, potentially exposing sensitive data.
  • AI-Slop ransomware test sneaks on to VS Code marketplace: A malicious extension with basic ransomware capabilities seemingly created with the help of AI, has been published on Microsoft’s official VS Code marketplace.
  • How a ransomware gang encrypted Nevada government’s systems: The State of Nevada has completed its recovery from a ransomware attack it suffered on August 24, 2025, which impacted 60 state agencies, disrupting critical services related to health and public safety.
  • Halo Infinite is about to get its last major update: On November 18th, Operation: Infinite will be released for Halo Infinite players with a battle pass and lots of new customizations, but according to the team, that’s it for this game’s content updates.
  • Maybe Peloton is its own worst enemy: A good product and loyal audience is a winning formula for everyone except, it seems, Peloton. For years – through its pandemic-fueled highs and its post-quarantine malaise – Peloton has held its earnings calls at a bright and bushy 8:30AM ET. Not yesterday.
  • The best Fitbits for your fitness and health: In 2025, you might wonder if Fitbit is still relevant. Despite being acquired by Google, Fitbit remains one of the most recognizable names in the industry.
  • World of Warcraft is getting a new kind of fake money: The long-awaited addition of Housing in World of Warcraft is going to cost you. On top of your monthly subscription and the cost of the Midnight expansion itself, some Housing items will require a new in-game currency called “Hearthsteel” that players will have to pay for with real money.
  • Blackmagic’s free camera app can now stream directly to YouTube and Twitch: Blackmagic released an update to its free camera app with some new features that streamers and professional broadcasters will appreciate. Both the Android and iOS versions of the Blackmagic Camera app can now stream directly to YouTube, Twitch, and Vimeo.
  • Anker’s 521 PowerHouse can power up to six devices, and it’s on sale: From weekend camping trips to unexpected power outages, having a reliable power source like the Anker 521 PowerHouse can be a lifesaver. Normally $249.99, right now you can buy the power station for the new low price of $128.99 at checkout at Amazon.
  • Steam store pages are wider now: Valve is making Steam store pages wider as part of a new update rolling out today. With the changes, “many pages” will be widened from “940 pixels to now 1200 pixels,” Valve says.
  • Texas sues Roblox for allegedly failing to protect children on its platform: Texas AG Ken Paxton is accusing Roblox of “putting pixel pedophiles and profits over the safety of Texas children,” alleging in a lawsuit filed this week that it is “flagrantly ignoring state and federal online safety laws while deceiving parents about the dangers of its platform.”
  • BioWare says it’s ‘focused exclusively’ on the next Mass Effect: It’s been five years since BioWare first announced it was working on a brand new Mass Effect game. But today, November 7th (N7 Day), BioWare shared a promising sign of life: the BioWare team is “heads-down and focused exclusively” on the game, according to its executive producer.
  • Does the Trump phone exist yet?: Last week I asked where the Trump phone was. The answer? Nowhere. There’s no update, no response, no sign of it. And since it’s still not here, I am — again — asking the same question.
  • ‘Landfall’ Malware Targeted Samsung Galaxy Users: The tool let its operators secretly record conversations, track device locations, capture photos, collect contacts, and perform other surveillance on compromised devices.
  • ‘Ransomvibing’ Infests Visual Studio Extension Market: A published VS Code extension didn’t hide the fact that it encrypts and exfiltrates data and also failed to remove obvious signs it was AI-generated.
  • Microsoft Backs Massive AI Push in UAE, Raising Security Concerns: In partnership with Emirates tech company G42, Microsoft is building the first stage of a 5-gigawatt US-UAE AI campus using Nvidia GPUs.
  • AI Agents Are Going Rogue: Here’s How to Rein Them In: Human-centered identity frameworks are incorrectly being applied to AI agents, creating the potential for catastrophe at machine speed, Poghosyan argues.
  • AI Security Agents Get Persona Makeovers: New synthetic security staffers promise to bring artificial intelligence comfortably into the security operations center, but they will require governance to protect security.
  • Ollama, Nvidia Flaws Put AI Infrastructure at Risk: Security researchers discovered multiple vulnerabilities in AI infrastructure products, including one capable of remote code execution.
  • Sora 2 Makes Videos So Believable, Reality Checks Are Required: Threat actors will continue to abuse deepfake technology to conduct fraudulent activity, so organizations need to implement strong security protocols – even if it adds to user friction.
  • SonicWall Firewall Backups Stolen by Nation-State Actor: The network security vendor said the MySonicWall breach was unrelated to the recent wave of Akira ransomware attacks targeting the company’s devices.
  • 🏴‍☠️ Handala has just published a new victim : Saturday Spotlight: As per our unbreakable tradition, every Saturday, the world awaits the chilling revelation from Handala RedWanted. This week, we pull back the mask on eight more Zionist criminals…
  • 🏴‍☠️ Qilin has just published a new victim : Wasserverband Wulkatal: N/A
  • 🏴‍☠️ Securotrop has just published a new victim : Pocatello Ready Mix: Status: AWAITING Size: 274 GB
  • 🏴‍☠️ Qilin has just published a new victim : Advanced Delivery Services: N/A
  • 🏴‍☠️ Qilin has just published a new victim : SHRM New Mexico: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Scouts Canada: N/A
  • 🏴‍☠️ Stormous has just published a new victim : !: VPN access to the company’s internal network is provided
  • 🏴‍☠️ Akira has just published a new victim : Mold In Graphic Systems: Mold In Graphic Systems specializes in providing permanent labeling solutions for plastic durable goods using their unique Polymer Fusion Labels. We will upload 15gb of corporate documents soon.
  • 🏴‍☠️ Dragonforce has just published a new victim : GB Mail: GB Mail is a privately owned and leading mailing house located centrally in the home counties.
  • 🏴‍☠️ Dragonforce has just published a new victim : DCS TECHNOLOGIES INC.: DCS Technology Inc. is providing complete IT Solutions since 2004. They are specialized in Point of Sale systems, Website Designing, Technical Support, and Computer Networking Solutions.
  • 🏴‍☠️ Qilin has just published a new victim : Shollenberger Januzzi & Wolfe: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Marine Turbine Technologies: N/A
  • 🏴‍☠️ Medusa has just published a new victim : Simon Property Group: Simon Property Group is a leading real estate investment trust (REIT) based in Indianapolis, Indiana.
  • 🏴‍☠️ Medusa has just published a new victim : Clackamas Community College: Clackamas Community College offers a variety of academic programs including associate degrees, certificates, and customized training for various career pathways. The total amount of data leakage is 1.21 TB
  • 🏴‍☠️ Medusa has just published a new victim : LaRosa’s Pizzeria: LaRosa’s Pizzeria is a family-owned pizza restaurant chain founded in 1954 by Donald “Buddy” LaRosa in Cincinnati, Ohio.
  • 🏴‍☠️ Medusa has just published a new victim : Oscars Group: Oscars Group is a prominent hospitality collective in New South Wales, founded in 1986 by the Gravanis brothers.
  • 🏴‍☠️ Medusa has just published a new victim : PT Kalimantan Prima Persada: PT Kalimantan Prima Persada (KPP) is a subsidiary of PT Pamapersada Nusantara (PAMA), a leading mining company in Asia.
  • 🏴‍☠️ Qilin has just published a new victim : Village of New Lenox: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Klae Construction: N/A
  • 🏴‍☠️ Interlock has just published a new victim : Aptura Group & Central Indiana Hardware: Central Indiana Hardware – Produces custom access systems, space management solutions, and high-performance hardware to optimize the security and functionality of commercial spaces.
  • 🏴‍☠️ Akira has just published a new victim : Soapy Joe’s Car Wash: Voted Best Car Wash in San Diego. We will upload more than 40gb of corporate documents soon. We obtained personal information of all employees of this company.
  • 🏴‍☠️ Akira has just published a new victim : Shands Elbert: Shands, Elbert, Gianoulakis & Giljum, LLP is a law firm based in St. Louis with over 50 years of experience offering a wide range of legal services.
  • 🏴‍☠️ Akira has just published a new victim : PLP SoCal: PLP SoCal is Southern California’s premier representative of performance Architectural Lighting, Decorative Lighting, Lighting Controls, Acoustic, EV Charging Stations, Illuminated Handrails & Site Furnishing.
  • 🏴‍☠️ Akira has just published a new victim : Koch & Co, Inc.: Koch & Co, Inc., is a wood door and cabinet manufacturing company. We will upload 54gb of corporate documents soon.
  • 🏴‍☠️ Clop has just published a new victim : WASHINGTONPOST.COM: [AI generated] The WashingtonPost.com is the online edition of The Washington Post, a leading US daily newspaper.
  • 🏴‍☠️ Clop has just published a new victim : ZANACO.CO.ZM: [AI generated] Zambia National Commercial Bank Plc (ZANACO) is a major bank in Zambia.
  • 🏴‍☠️ Clop has just published a new victim : KIRBYCORP.COM: [AI generated] Kirby Corporation is an American diversified business that provides distribution and services in marine and land transportation.
  • 🏴‍☠️ Clop has just published a new victim : TRIMBLE.COM: [AI generated] Trimble Inc., operating as Trimble.com, is a multinational technology company that specializes in hardware and software services, such as GPS tracking systems…
  • 🏴‍☠️ Clop has just published a new victim : MKS.COM: [AI generated] “N/A”
  • 🏴‍☠️ Clop has just published a new victim : INTERNATIONAL.COM: [AI generated] N/A
  • 🏴‍☠️ Clop has just published a new victim : LOGITECH.COM: [AI generated] Logitech.com is the official website of Logitech International S.A., a Swiss-American multinational company specializing in computer peripherals and software.
  • 🏴‍☠️ Clop has just published a new victim : KIER.CO.UK: [AI generated] KIER.CO.UK is a leading construction, property, and residential and infrastructure company in the UK.
  • 🏴‍☠️ Clop has just published a new victim : ELSEWEDYELECTRIC.COM: [AI generated] ELSEWEDY Electric is a leading provider of integrated energy solutions in Africa, the Middle East, and beyond.
  • 🏴‍☠️ Clop has just published a new victim : WOODPLC.COM: [AI generated] Wood PLC is a leading global project, engineering and technical services company headquartered in the UK.
  • 🏴‍☠️ Clop has just published a new victim : RHEEM.COM: [AI generated] Rheem Manufacturing Company is a leading global manufacturer of heating, cooling, water heating, and pool/spa heating solutions.
  • 🏴‍☠️ Clop has just published a new victim : LV.COM: [AI generated] LV.COM (Liverpool Victoria) is a UK-based insurance company offering a broad range of insurance and retirement products.
  • 🏴‍☠️ Qilin has just published a new victim : Rex-Hide: N/A
  • 🏴‍☠️ Stormous has just published a new victim : www.wilmar.co.id: VPN access to the company’s internal network is provided
  • 🏴‍☠️ Stormous has just published a new victim : www.danareksa.com: VPN access to the company’s internal network is provided
  • 🏴‍☠️ Stormous has just published a new victim : www.marjane.ma: Marjane Group is a Moroccan retail group that owns the Marjane hypermarkets and Marjane Market supermarkets.
  • 🏴‍☠️ Qilin has just published a new victim : Studio Corvo Parma: N/A
  • 🏴‍☠️ Incransom has just published a new victim : Ketat Grundstücksverwertungs GmbH: We have data from Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH, payment and tax records, employee and client documents…
  • 🏴‍☠️ Incransom has just published a new victim : prutsch-ra.at: We have data from Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH, payment and tax records, employee and client documents…
  • 🏴‍☠️ Incransom has just published a new victim : MusikComputer GmbH: We have data from Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH, payment and tax records, employee and client documents…
  • 🏴‍☠️ Kryptos has just published a new victim : Provincial Department of Health Services Sri Lanka: Health Services – 145 Institutions – 439 Field Clinic Centres – 850 Medical Officer
  • 🏴‍☠️ Incransom has just published a new victim : pmsp.at: We have Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH company data, payment and tax documentation, employee and client documents…
  • 🏴‍☠️ Incransom has just published a new victim : elektroanlagen: We have data from Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH, payment and tax records, employee and client documents…
  • 🏴‍☠️ Incransom has just published a new victim : zebra.or.at: We have zebra.or.at company data, payment and tax documentation, employee and client documents…
  • 🏴‍☠️ Qilin has just published a new victim : Systems Integrated: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Sai Mai Hospital: N/A
  • 🏴‍☠️ Qilin has just published a new victim : PCB Uitvaartzorg: N/A
  • 🏴‍☠️ Qilin has just published a new victim : UScraft: N/A