Latest Ransomware News and New File Extensions
-
Qilin Ransomware:
- New Encrypted File Extension: Not specified in the article.
- Attack Methods: Deployed via a sophisticated supply chain attack targeting a Managed Service Provider (MSP), with potential involvement from North Korean state-affiliated actors (Moonstone Sleet).
- Targets: South Korea’s financial sector and 28 downstream victims of the compromised MSP. The data heist is referred to as “Korean Leaks.”
- Decryption Status: No known decryption method mentioned.
- Source: Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist
-
Various Ransomware Groups (Akira, Dragonforce, Incransom, etc.):
- New Encrypted File Extension: Not applicable (reports are based on data leak site publications, not technical analysis).
- Attack Methods: Data theft and extortion through public naming and data publication on dedicated leak sites.
- Targets: A diverse range of global organizations across multiple sectors, including animal health (Zoetis), technology (Foxconn Interconnect Technology), legal services (Carlton Fields), aerospace (ADC Aerospace), and pharmaceuticals (Enerre Pharma).
- Decryption Status: Not applicable/mentioned.
- Source: Multiple ransomware leak site notifications (🏴☠️ emoji titles).
Observations and Further Recommendations
- The Qilin ransomware attack underscores the increasing trend of using supply chain attacks as a highly effective method to compromise multiple victims at once by targeting a single, trusted service provider like an MSP.
- There is a potential collaboration between Ransomware-as-a-Service (RaaS) groups and state-affiliated actors, blurring the lines between financially motivated cybercrime and state-sponsored activities.
- The high volume of victims posted on various leak sites demonstrates that ransomware remains a pervasive and widespread threat, affecting a wide array of industries without discrimination.
- Organizations should enhance their security posture by focusing on third-party and supply chain risk management. Standard security practices like multi-factor authentication, immutable backups, and regular security awareness training remain essential for defense.
News Details
- Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim ‘Korean Leaks’ Data Heist: South Korea’s financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. “This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP)”.
- ThreatsDay Bulletin: AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories: Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world. Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight.
- Gainsight Expands Impacted Customer List Following Salesforce Security Alert: Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought. The company said Salesforce initially provided a list of 3 impacted customers and that it has “expanded to a larger list” as of November 21, 2025.
- Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets: The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud.
- RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware: The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. “This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said.
- 🏴☠️ Akira has just published a new victim : Zoetis: Zoetis discovers, develops, manufactures, and commercializes animal health medicines, vaccines, and diagnostic products in the United States and internationally. We will upload 25gb of corporate documents soon. Lots of internal documents, clients’ data, numerous test and other information.
- 🏴☠️ Incransom has just published a new victim : FIT: Foxconn Interconnect Technology Limited (FIT) focuses on the development, manufacturing, and marketing of electronic and optoelectronic connectors, antennas, acoustic components, cables, and modules for applications in computers, communication equipment, consumer electronics, automobiles, industrial and green energy field products.
- 🏴☠️ Dragonforce has just published a new victim : Healthcare Retroactive Audits: 22 171 128 medical record files, neatly packaged into 11 archives by hospital. The firm Healthcare Retroactive Audits, which was auditing the data for insurers, not only let the leak happen but also took no steps to stop the files from being published.