Ransomware Update – 2025-11-14

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Actively deploying a Linux encryptor designed to target and encrypt Nutanix AHV virtual machines.
    • Targets: A wide range of industries including steel fabrication (Waukegan Steel), logistics (Barnhart), hospitality (Basin Harbor), and engineering consulting (Smith Gardner), with a specific focus on organizations utilizing Nutanix virtualization infrastructure.
    • Decryption Status: No known decryption method. CISA has issued an alert regarding this threat.
    • Source: CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs; Akira Victim Leak Site Posts

  • Kraken Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Employs a sophisticated technique of benchmarking the target system’s performance to choose the fastest encryption method without overloading the machine, thereby avoiding detection.
    • Targets: Windows and Linux/VMware ESXi systems. A recent victim includes a construction management consulting firm.
    • Decryption Status: No known decryption method.
    • Source: Kraken ransomware benchmarks systems for optimal encryption choice

  • Clop Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Primarily focuses on large-scale data exfiltration campaigns, often exploiting zero-day vulnerabilities in widely used enterprise software.
    • Targets: Numerous high-profile global organizations across diverse sectors, including technology (Fluke, GlobalLogic), digital security (Entrust), education (Dartmouth.edu), and public health (NHS.UK).
    • Decryption Status: As Clop’s model is primarily data extortion, decryption is not the main focus; no public tools are available.
    • Source: Clop Victim Leak Site Posts

  • LockBit Ransomware:

    • New Encrypted File Extension: Not specified in recent reports.
    • Attack Methods: The group has reappeared after recent law enforcement action, indicating a return to its previous TTPs which include exploiting vulnerabilities and compromised credentials.
    • Targets: General organizations; the group is reconstituting its operations.
    • Decryption Status: No public decryption tools are available for recent versions of the ransomware.
    • Source: Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns

  • Other Active Ransomware Groups:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Various groups continue to conduct data theft and encryption attacks.
    • Targets: Groups including Incransom, Qilin, Everest, Spacebears, Direwolf, Chaos, and Anubis are actively publishing victims from industries such as legal services, manufacturing, staffing solutions, and finance.
    • Decryption Status: No known decryption methods for these active campaigns.
    • Source: Various Victim Leak Site Posts

Observations and Further Recommendations

  • The ransomware landscape is increasingly fragmented, with a record 85 active groups observed in Q3 2025. This decentralization makes defense and law enforcement efforts more complex.
  • Despite takedown operations, prominent groups like LockBit are demonstrating resilience by quickly re-emerging, highlighting the persistence of the Ransomware-as-a-Service (RaaS) model.
  • Threat actors are refining their techniques, with Akira targeting specific virtualization platforms (Nutanix) and Kraken optimizing its encryption process for stealth and efficiency.
  • Major data extortion campaigns remain a significant threat, as evidenced by Clop’s recent mass publication of victims from globally recognized organizations.
  • To mitigate risks, organizations should prioritize patching known exploited vulnerabilities, especially in edge devices like firewalls and routers, secure virtualization environments, and maintain offline, immutable backups.

News Details

  • Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns: Key Takeaways: 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date. 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure. 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns. LockBit’s reappearance with new infrastructure signals the group’s intent to rebuild.

  • CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs: US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.

  • Kraken ransomware benchmarks systems for optimal encryption choice: The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them.

  • Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts: Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device. “The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” Benjamin Harris, CEO at watchTowr, said.

  • Chinese Hackers Use Anthropic’s AI to Launch Automated Cyber Espionage Campaign: State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a “highly sophisticated espionage campaign” in mid-September 2025. “The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves,” the AI upstart said.

  • CISA Flags Critical WatchGuard Fireware Flaw Exposing 54,000 Fireboxes to No-Login Attacks: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability.

  • Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown: Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust. The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers.

  • DoorDash hit by new data breach in October exposing user information: DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly discovered security incident.