Ransomware Update – 2025-11-20

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • ShinySp1d3r (New RaaS):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: A new Ransomware-as-a-Service (RaaS) platform created by the established ShinyHunters threat group, designed for extortion operations.
    • Targets: General targets for affiliates of the RaaS platform.
    • Decryption Status: No free decryption tool available.
    • Source: Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, threatening to leak large volumes of sensitive corporate and personal data.
    • Targets: American Trust Administrators (Employee Benefits), Orchid Island Golf and Beach Club (Hospitality), Modern Display (Retail), The InterTech Group (Holding Company), Pearl River Valley Electric Power Association (Utility), Perry Brothers Oil (Automotive), Aarco (Insurance), ARENCON (Engineering), Cardinal Services (Oilfield Services), Stoss Landscape Urbanism (Design).
    • Decryption Status: No free decryption tool available.
    • Source: Multiple victim announcements posted by the group.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data theft and public shaming on their leak site to extort victims. Claimed to have exfiltrated 1TB of data from one victim.
    • Targets: NAFFCO (Fire Safety), Reid Hurst Nagy CPA (Accounting), Bais Yaakov Elementary School (Education), Continuum India (Contract Research), The Ripley Academy (Education), Grande Prairie Public Library (Public Services), Datenlotsen (Software), Zadro Inc. (Retail).
    • Decryption Status: No free decryption tool available.
    • Source: Multiple victim announcements posted by the group.

  • Sarcoma:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration, targeting files, SQL databases, and Exchange servers for extortion.
    • Targets: Söllner GmbH & Co. KG (German Roofing), B&J Rocket Sales (Swiss Manufacturing).
    • Decryption Status: No free decryption tool available.
    • Source: Multiple victim announcements posted by the group.

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data theft and extortion.
    • Targets: IGT, Marine Foods Express LTD, Spark Innovation.
    • Decryption Status: No free decryption tool available.
    • Source: Multiple victim announcements posted by the group.

  • Sinobi:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion via leak site announcements.
    • Targets: Croft (Window/Door Manufacturing), CHANGEPOND (Software), Genrose Stone + Tile (Retail), Heywood Hospital (Healthcare), TFC Poultry (Food Production).
    • Decryption Status: No free decryption tool available.
    • Source: Multiple victim announcements posted by the group.

  • Other Active Groups:

    • Noteworthy Mentions: Several other groups including Nova, Devman, Thegentlemen, Anubis, and Safepay were also observed actively posting new victims from diverse sectors such as hosting, chemical manufacturing, finance, and logistics, primarily using data theft and extortion tactics.

Observations and Further Recommendations

  • High Volume of Activity: A wide range of ransomware groups are operating concurrently, indicating a highly active and persistent global threat landscape.
  • Diverse and Opportunistic Targeting: Victims span numerous industries, including manufacturing, healthcare, technology, education, and critical infrastructure, demonstrating that no sector is immune to attack.
  • Data Exfiltration is the Standard: The dominant strategy is “double extortion,” where attackers steal sensitive data before encryption and threaten to publish it to pressure victims into paying a ransom.
  • New Services Emerge: The development of new Ransomware-as-a-Service (RaaS) platforms like ShinySp1d3r by veteran cybercriminals lowers the barrier to entry for other attackers and fuels the ransomware ecosystem.
  • General Recommendations: Organizations should prioritize fundamental cybersecurity hygiene. This includes implementing multi-factor authentication (MFA), enforcing strong access controls, regularly patching software vulnerabilities, conducting employee security awareness training, and maintaining secure, offline backups of critical data.

News Details

  • Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters: An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
  • Obscura Ransomware: A Case Study in Ransomware Data Loss: Discover how Obscura ransomware corrupts encrypted files beyond recovery, and why technical validation is key to smart ransom response decisions
  • Sarcoma has just published a new victim : Söllner: Söllner GmbH & Co. KG is a family-owned roofing company based in Plettenberg, operating for four generations since 1902. The company specializes in roofing, carpentry, facade construction, scaffolding, and offers additional services such as container service and crane rentals.
  • Incransom has just published a new victim : naffco.com: NAFFCO is an international manufacturer and supplier of firefighting, security, and safety products. They also offer training services and emergency responder certification. The company is headquartered in Dubai, in the United Arab Emirates. We have 1TB of data at our disposal.
  • Nova has just published a new victim : HostingFest: As HostingFest, we provide domain name (Domain), Hosting, VDS and Dedicated servers, E-commerce infrastructures and SEO services to our individual and corporate customers. Due to encryption, the official domain is currently inaccessible.
  • Sinobi has just published a new victim : Croft: Croft is a leading window and door company specializing in energy-efficient vinyl and aluminum products, including a variety of windows and patio doors.
  • Qilin has just published a new victim : IGT: N/A
  • Akira has just published a new victim : American Trust Administrators: American Trust Administrators, Inc. (ATA) is a national leader in the administration and management of employee benefit plans. We will upload almost 143gb of corporate documents soon.
  • **Thegentlemen has just published a new victim : .: 1.5 terabytes of data stolen from one of Asia’s largest investment companies, with more than 10 billion USD under management.
  • Russian bulletproof hosting provider sanctioned over ransomware ties: Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations.
  • CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat: CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages.
  • New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices: Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud.
  • Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt: Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.
  • TamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign: Threat actors are leveraging bogus installers masquerading as popular software to trick users into installing malware as part of a global malvertising campaign dubbed TamperedChef.
  • Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001): A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday.
  • Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices: Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil.
  • WrtHug Exploits Six ASUS WRT Flaws to Hijack Tens of Thousands of EoL Routers Worldwide: A newly discovered campaign has compromised tens of thousands of outdated or end-of-life (EoL) ASUS routers worldwide, predominantly in Taiwan, the U.S., and Russia, to rope them into a massive network.
  • EdgeStepper Implant Reroutes DNS Queries to Deploy Malware via Hijacked Software Updates: The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.
  • Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild: Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0.
  • Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar: The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal.
  • CISA gives govt agencies 7 days to patch new Fortinet flaw: CISA has ordered U.S. government agencies to secure their systems within a week against another vulnerability in Fortinet’s FortiWeb web application firewall, which was exploited in zero-day attacks.