Ransomware Update – 2025-11-28

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion, threatening to publish sensitive corporate and personal information.
    • Targets: Multiple organizations across various sectors, including Mechanical Systems Company (building automation), Kelly Wearstler Gallery (luxury brand), Hitech (motorsport), Crucible Industries (steel manufacturing), and a group of consulting, architecture, and software firms (Asl Consulting, DTG Consulting Solutions, etc.).
    • Decryption Status: No decryption information provided; the focus is on data exfiltration.
    • Source: Ransomware victim announcements feed.

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public shaming of victims on their leak site.
    • Targets: A wide range of entities including Comansco, ERR Raumplaner, Bcfpers, United Volleyball Supply, Santa Paula, WLR Precision Engineering, The American School Foundation, and St. Johns River Water Management District.
    • Decryption Status: No decryption information provided; the focus is on data exfiltration.
    • Source: Ransomware victim announcements feed.

  • Other Ransomware Groups (Worldleaks, Tengu, Nova, Incransom, Dragonforce, etc.):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data theft and extortion via public disclosure on leak sites.
    • Targets: A diverse list of global entities including Family Farm and Home (Worldleaks), Rollingertec S.A. (Tengu), Caros co (Nova), FIT (Foxconn) and PFMI (Incransom), Enerre Pharma (Dragonforce), and ADC Aerospace (Play).
    • Decryption Status: No decryption information provided.
    • Source: Ransomware victim announcements feed.

Observations and Further Recommendations

  • The news indicates a high volume of activity from numerous ransomware gangs, with groups like Akira and Qilin announcing multiple victims simultaneously.
  • The attacks are not confined to a single industry or region, targeting organizations in manufacturing, technology, education, retail, professional services, and government entities across North America, Europe, and Asia.
  • The primary tactic observed in these announcements is data exfiltration followed by extortion, threatening to leak sensitive employee, customer, and financial data to pressure victims into payment.
  • Organizations should prioritize robust security measures, including network segmentation, access control, regular backups, and employee training to defend against initial access and mitigate the impact of data theft.

News Details

  • Why Organizations Are Turning to RPAM: As IT environments become increasingly distributed and organizations adopt hybrid and remote work at scale, traditional perimeter-based security models and on-premises Privileged Access Management (PAM) solutions no longer suffice. IT administrators, contractors and third-party vendors now require secure access to critical systems from any location and on any device, without compromising
  • MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants: Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. “When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,” Ontinue security researcher Rhys Downing said in a report
  • Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan: The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT. As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the
  • Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update: Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now. The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at “login.microsoftonline[.]com” by only letting scripts from trusted Microsoft domains run.
  • Webinar: Learn to Spot Risks and Patch Safely with Community-Maintained Tools: If you’re using community tools like Chocolatey or Winget to keep systems updated, you’re not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch… The very tools that make your job easier might also be the reason your systems are at risk.
  • ThreatsDay Bulletin: AI Malware, Voice Bot Flaws, Crypto Laundering, IoT Attacks — and 20 More Stories: Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world. Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight.
  • Gainsight Expands Impacted Customer List Following Salesforce Security Alert: Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought. The company said Salesforce initially provided a list of 3 impacted customers and that it has “expanded to a larger list” as of November 21, 2025.
  • Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets: The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud.
  • Moving toward LessOps with VMware-to-cloud migrations: Today’s IT leaders face competing mandates to do more (“make us an ‘AI-first’ enterprise—yesterday”) with less (“no new hires for at least the next six months”). VMware has become a focal point of these dueling directives. It remains central to enterprise IT, with 80% of organizations using VMware infrastructure products.
  • OpenAI discloses API customer data breach via Mixpanel vendor hack: OpenAI is notifying some ChatGPT API customers that limited identifying information was exposed following a breach at its third-party analytics provider Mixpanel.
  • New ShadowV2 botnet malware used AWS outage as a test opportunity: A new Mirai-based botnet malware named ‘ShadowV2’ has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities.
  • Popular Forge library gets fix for signature verification bypass flaw: A vulnerability in the ‘node-forge’ package, a popular JavaScript cryptography library, could be exploited to bypass signature verifications by crafting data that appears valid.
  • Comcast to pay $1.5M fine for vendor breach affecting 270K customers: Comcast will pay a $1.5 million fine to settle a Federal Communications Commission investigation into a February 2024 vendor data breach that exposed the personal information of nearly 275,000 customers.
  • Multiple London councils’ IT systems disrupted by cyberattack: The Royal Borough of Kensington and Chelsea (RBKC) and the Westminster City Council (WCC) announced that they are experiencing service disruptions following a cybersecurity issue.
  • Digital Fraud at Industrial Scale: 2025 Wasn’t Great: Advanced fraud attacks surged 180% in 2025 as cyber scammers used generative AI to churn out flawless IDs, deepfakes, and autonomous bots at levels never before seen.
  • Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’: A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” made headlines regularly this year by stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group.
  • 🏴‍☠️ Worldleaks has just published a new victim : Family Farm and Home: Family Farm and Home is a retail chain specializing in agricultural and home improvement products. Founded in 1959 as a single store in Michigan, it now operates across multiple states.
  • 🏴‍☠️ Qilin has just published a new victim : Comansco: N/A
  • **🏴‍☠️ Tengu has just published a new victim : *Rollingertec S.A. – Luxembourg***: Offering integrated solutions in the field of building technology and timber construction, with a special focus on roofs, facades, and metal insulation.
  • 🏴‍☠️ Nova has just published a new victim : Caros co: South Korea. It was founded in 2009. It is engaged in the production and sale of general-purpose vehicles. Among the products: an ice maker, a water purifier, a water heater and others.
  • 🏴‍☠️ Akira has just published a new victim : Mechanical Systems: Mechanical Systems Company offers building automation controls an d services. We are ready to upload more than 30GB files of essential corporat e documents such as: Employee personal information (SSNs, DLs, pa ssports and so on), confidentiality agreements, financials, clien ts information, NDA, etc.
  • 🏴‍☠️ Incransom has just published a new victim : FIT: Foxconn Interconnect Technology Limited (FIT) focuses on the development, manufacturing, and marketing of electronic and optoelectronic connectors, antennas, acoustic components, cables, and modules for applications in computers, communication equipment, consumer electronics, automobiles, industrial and green energy field products.