Ransomware Update – 2025-11-26

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Not specified in the provided articles.
    • Targets: Dobco (construction), Bergeson (law firm), Rochester Philharmonic Orchestra, and Standing Chapter 13 Trustee.
    • Decryption Status: No known decryption method specified.
    • Source: Ransomware leak site announcements from the provided news feed.

  • Qilin:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Not specified in the provided articles.
    • Targets: BioPharma Services, Disston, Burnham Brown, Eastek International, Workflow Concepts, Lake Superior State University, Paal, Inspire Communities, New England Tractor Trailer Training School, Christofle, Columbia Medical Practice, Nottingham Village, Zecher, Blue Projects, and HYTORC.
    • Decryption Status: No known decryption method specified.
    • Source: Ransomware leak site announcements from the provided news feed.

  • Clop:

    • New Encrypted File Extension: Not specified in the provided articles.
    • Attack Methods: Exploitation of Oracle E-Business Suite servers.
    • Targets: Dartmouth College.
    • Decryption Status: The gang leaked stolen data, confirming a successful extortion attack. No decryption information is available.
    • Source: “Dartmouth College confirms data breach after Clop extortion attack” from the provided news feed.

  • Other Active Ransomware Groups:

    • Summary: Numerous other ransomware groups, including Silentransomgroup, Dragonforce, Anubis, Sinobi, Everest, Payoutsking, Coinbasecartel, Incransom, Rhysida, Nightspire, Thegentlemen, Ransomhouse, and Interlock, have published new victims on their leak sites.
    • Targets: A wide range of sectors were targeted, including law firms (Carlton Fields, Mitchell Silberberg & Knupp), finance (National Money Mart Company), airlines (Iberia Airlines), healthcare (AllerVie Health), government (Swedish Arts Council), manufacturing (Amcor), and education (Emond Publishing).
    • Details: The announcements primarily focus on naming victims and threatening to leak stolen financial and personal data. Technical details about the attacks are not provided.
    • Source: Ransomware leak site announcements from the provided news feed.

Observations and Further Recommendations

  • Broad and Diverse Targeting: The latest reports show that ransomware attacks are not confined to a single industry. Groups are targeting a wide array of sectors, including legal, education, construction, finance, healthcare, and government agencies across multiple countries.
  • Prolific Activity: Numerous ransomware gangs remain highly active, with groups like Qilin, Akira, and Incransom announcing multiple victims in a short period, indicating a high operational tempo.
  • Vulnerability Exploitation: The breach at Dartmouth College, attributed to the Clop group exploiting Oracle E-Business Suite servers, underscores the critical importance of timely patching of known vulnerabilities in enterprise software.
  • General Recommendations: Organizations should prioritize robust cybersecurity hygiene, including regular software updates, implementing multi-factor authentication (MFA), network segmentation, and maintaining offline, immutable backups to mitigate the impact of a potential ransomware attack.

News Details

  • Webinar: Learn to Spot Risks and Patch Safely with Community-Maintained Tools: If you’re using community tools like Chocolatey or Winget to keep systems updated, you’re not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch… The very tools that make your job easier might also be the reason your systems are at risk.
  • Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps: Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that’s capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet.
  • RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware: The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. “This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report.
  • FBI Reports $262M in ATO Fraud as Researchers Cite Growing AI Phishing and Holiday Scams: The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes.
  • Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys: New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code.
  • JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers: Cybersecurity researchers are calling attention to a new campaign that’s leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a “critical” Windows security update.
  • ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens: The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy.
  • Hackers Hijack Blender 3D Assets to Deploy StealC V2 Data-Stealing Malware: Cybersecurity researchers have disclosed details of a new campaign that has leveraged Blender Foundation files to deliver an information stealer known as StealC V2.
  • CISA Warns of Active Spyware Campaigns Hijacking High-Value Signal and WhatsApp Users: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications.
  • Aligning VMware migration with business continuity: For decades, business continuity planning meant preparing for anomalous events like hurricanes, floods, tornadoes, or regional power outages. In recent years, an even more persistent threat has emerged. Cyber incidents, particularly ransomware, are now more common—and often, more damaging—than physical disasters.
  • ASUS warns of new critical auth bypass flaw in AiCloud routers: ASUS has released new firmware to patch nine security vulnerabilities, including a critical authentication bypass flaw in routers with AiCloud enabled.
  • OnSolve CodeRED cyberattack disrupts emergency alert systems nationwide: Risk management company Crisis24 has confirmed its OnSolve CodeRED platform suffered a cyberattack that disrupted emergency notification systems used by state and local governments, police departments, and fire agencies across the United States.
  • FBI: Cybercriminals stole $262M by impersonating bank support teams: The FBI warns of a surge in account takeover (ATO) fraud schemes and says that cybercriminals impersonating various financial institutions have stolen over $262 million in ATO attacks since the start of the year.
  • Code beautifiers expose credentials from banks, govt, tech orgs: Thousands of credentials, authentication keys, and configuration data impacting organizations in sensitive sectors have been sitting in publicly accessible JSON snippets submitted to the JSONFormatter and CodeBeautify online tools that format and structure code.
  • Dartmouth College confirms data breach after Clop extortion attack: ​Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school’s Oracle E-Business Suite servers on its dark web leak site.
  • Malicious Blender model files deliver StealC infostealing malware: A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader.
  • ClickFix attack uses fake Windows Update screen to push malware: New ClickFix attack variants have been observed where threat actors trick users with a realistic-looking Windows Update animation in a full-screen browser page and hide the malicious code inside images.
  • 🏴‍☠️ Akira has just published a new victim : Dobco: Dobco founded in 1989 and headquartered in Wayne, New Jersey, is an established multi-faceted general construction firm.
  • 🏴‍☠️ Silentransomgroup has just published a new victim : Carlton Fields: Carlton Fields is a nationally recognized law firm delivering strategic legal counsel to corporations,…
  • 🏴‍☠️ Qilin has just published a new victim : BioPharma Services: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Disston: N/A
  • 🏴‍☠️ Dragonforce has just published a new victim : Emond Publishing: Emond Publishing is a Canadian publisher specializing in legal education materials and resources for law students and professionals.
  • 🏴‍☠️ Akira has just published a new victim : Bergeson: Bergeson, LLP is a leading litigation law firm based in Silicon Valley, established in 1990.
  • 🏴‍☠️ Qilin has just published a new victim : Burnham Brown: N/A
  • 🏴‍☠️ Incransom has just published a new victim : Schmidt’s: SCHMIDT’S is a specialized market that offers a wide array of products and services for house, garden, crafts, and industry, boasting over 130 years of tradition and quality. Over 100GB of data was extracted.
  • 🏴‍☠️ Akira has just published a new victim : Standing Chapter 13 Trustee: The Standing Chapter 13 Trustee District of Minnesota provides services related to bankruptcy cases under Chapter 13, assisting debtors with payment information and case-related resources.