Ransomware Update – 2025-11-29

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Data exfiltration for double extortion. The group claims to have stolen large volumes of sensitive corporate data, including personal employee and client information, financial records, and contracts.
    • Targets: A diverse range of organizations including Parrish Tire, Panini Kabob Grill, Morton LTC, Reed Pope Law, American Public Television, Benchmark Connector, Radtke Contractors, Casting House, Gershow Recycling, Design Team Sign Company, K2d, and Lone Rock Timber.
    • Decryption Status: No public decryptor mentioned; focus is on data leak threats.
    • Source: URL not provided in source data.

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Williamson County, TX (government), Zoya, Weiss, Kleber and Associates, Comansco, ERR Raumplaner, Bcfpers, and United Volleyball Supply.
    • Decryption Status: No public decryptor mentioned.
    • Source: URL not provided in source data.

  • Thegentlemen:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Everbiz Industrial Co. Ltd. (manufacturing) and Devereux Advanced Behavioral Health (healthcare).
    • Decryption Status: No public decryptor mentioned.
    • Source: URL not provided in source data.

  • Incransom:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Valley View ISD (education sector).
    • Decryption Status: No public decryptor mentioned.
    • Source: URL not provided in source data.

  • Handala:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion, specifically targeting a high-profile individual.
    • Targets: Dr. Isaac Gertz, identified as a Chief Nuclear Architect.
    • Decryption Status: No public decryptor mentioned.
    • Source: URL not provided in source data.

  • Anubis:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data breach focusing on patient data.
    • Targets: Mid South Pulmonary & Sleep Specialists (healthcare).
    • Decryption Status: No public decryptor mentioned; focus is on data leak.
    • Source: URL not provided in source data.

  • Other Active Groups (Brotherhood, Worldleaks, Tengu, Nova):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Various single entities including Ingenieurbüro Laudi (Brotherhood), Family Farm and Home (Worldleaks), Rollingertec S.A. (Tengu), and Caros co (Nova).
    • Decryption Status: No public decryptors mentioned for these attacks.
    • Source: URL not provided in source data.

Observations and Further Recommendations

  • A significant volume of data breach notifications from various ransomware groups, particularly Akira and Qilin, indicates a high level of ongoing cybercriminal activity.
  • The attacks demonstrate a wide range of targets across multiple industries, including manufacturing, healthcare, government, legal, and education, underscoring that no sector is immune.
  • The dominant tactic is double extortion, where attackers exfiltrate sensitive data before encryption and threaten to publish it to pressure victims into paying a ransom.
  • Organizations are strongly advised to implement comprehensive security measures, including multi-factor authentication (MFA), regular and isolated data backups, network segmentation, and proactive vulnerability management to defend against these threats.

News Details

  • Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages: Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack. Software supply chain security company ReversingLabs said it found the “vulnerability” in bootstrap files provided by a build and deployment automation tool named “zc.buildout.”
  • North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware: The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie.
  • Why Organizations Are Turning to RPAM: As IT environments become increasingly distributed and organizations adopt hybrid and remote work at scale, traditional perimeter-based security models and on-premises Privileged Access Management (PAM) solutions no longer suffice. IT administrators, contractors and third-party vendors now require secure access to critical systems from any location and on any device, without compromising
  • MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants: Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. “When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,” Ontinue security researcher Rhys Downing said in a report
  • Bloody Wolf Expands Java-based NetSupport RAT Attacks in Kyrgyzstan and Uzbekistan: The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT. As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the
  • Leak confirms OpenAI is preparing ads on ChatGPT for public roll out: OpenAI is now internally testing ‘ads’ inside ChatGPT that could redefine the web economy. […]
  • Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison: A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers at various airports across Australia. […]
  • Microsoft: Windows updates make password login option invisible: Microsoft warned users that Windows 11 updates released since August may cause the password sign-in option to disappear from the lock screen options, even though the button remains functional. […]
  • Public GitLab repositories exposed more than 17,000 secrets: After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. […]
  • French Football Federation discloses data breach after cyberattack: The French Football Federation (FFF) disclosed a data breach on Friday after attackers used a compromised account to gain access to administrative management software used by football clubs. […]
  • Malicious LLMs empower inexperienced hackers with advanced tools: Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement. […]
  • 🏴‍☠️ Handala has just published a new victim : Dr. Isaac Gertz – Chief Nuclear Architect of the Zion Regime: Dr. Isaac Gertz, By now, you have surely felt it, the subtle shift in the air around you. The moment when an ordinary day becomes… wrong. The first $10,000 required for deep-field infiltration and extraction of classified intelligence has been deployed.
  • 🏴‍☠️ Thegentlemen has just published a new victim : Everbiz Industrial Co. Ltd.: www.everbiz.com.tw https://www.zoominfo.com/c/everbiz-industrial-co-ltd/456233474 Since that time, we have manufactured thousands of assemblies for a wide variety of industrial. Many biggest 1000 companies have come to rely on our unique process to fulfill their requirements.
  • 🏴‍☠️ Incransom has just published a new victim : vviewisd.net: Valley View ISD was one of only fifteen districts in the entire state of Texas to receive this rating. We are extremely proud of our students and staff for this great accomplishment.
  • 🏴‍☠️ Qilin has just published a new victim : Zoya: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Weiss: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Kleber and Associates: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Williamson County, TX: N/A
  • 🏴‍☠️ Akira has just published a new victim : Parrish Tire: Parrish Tire Company is one of the largest tire dealers in the Southeast, operating wholesale, retail, and commercial truck tire centers in NC, SC, VA, GA, and OH. We are ready to upload 10GB files of corporate documents such as: personal employee data, client data (~150 credit cards details, and other information), financials, agreements and contracts, etc.
  • 🏴‍☠️ Akira has just published a new victim : Panini Kabob Grill: Panini Kabob Grill specializes in preparing fresh and healthier Mediterranean food using high-quality ingredients in a scratch kitchen. We are ready to upload 60GB files of corporate documents such as: detailed personal employee information (SSN, DLs, passport, photo, phone, emails and so on), credit cards, detailed financials, agreements and contracts, etc.
  • 🏴‍☠️ Akira has just published a new victim : Morton LTC, Reed Pope Law, American Public Television, Benchmark Connector, Radtke Contrac…: We obtained about 22gb of the following companies: Morton LTC Home, Reed Pope, American Public Television (APT), LBenchmark Connector Corporation, Radtke Contractors. You will find personal employees and customer information, lots of projects, agreements and contracts and other sensitive files.
  • 🏴‍☠️ Akira has just published a new victim : Casting House: Casting House is a full-service custom jewelry manufacturing company that provides jewelers and designers with access to manufacturing solutions… We are ready to upload 10GB files of corporate documents such as: personal employee data, financials, agreements and contracts, confidential files, credit card details, etc.
  • 🏴‍☠️ Thegentlemen has just published a new victim : Devereux Advanced Behavioral Health: www.devereux.org https://www.zoominfo.com/c/the-devereux-foundation/60082215 Devereux Advanced Behavioral Health, headquartered in Villanova, Pennsylvania, is a behavioral healthcare organization that operates a network of clinical, therapeutic, educational, and employment programs.
  • 🏴‍☠️ Brotherhood has just published a new victim : Ingenieurbüro Laudi: Contains: 4 Gb Compressed Free Files, 139 Gb Compressed Paid Files
  • 🏴‍☠️ Akira has just published a new victim : Gershow Recycling: Gershow Recycling is a prominent scrap metal buying and selling facility… We are ready to upload 31GB files of essential corporate documents such as: Employee information (DLs and other scanned documents), internal confidential files, detailed financials, clients information, interesting agreements details with organizations, NDA, etc.
  • 🏴‍☠️ Akira has just published a new victim : Design Team Sign Company: Design Team Sign Company is a manufacturer of custom graphic sign media. We are ready to upload 108GB files of essential corporate documents such as: HR files, personal data, detailed financials, databases, projects, agreements, customer information, NDA, etc.
  • 🏴‍☠️ Akira has just published a new victim : K2d: K2D Consulting Engineers is a professional Mechanical, Electrical, and Plumbing (MEP) consulting firm based in Los Angeles… We are ready to upload 121GB files of essential corporate documents such as: personal employee data, detailed financials, agreements, client information, confidentiality agreements, NDA, etc.
  • 🏴‍☠️ Akira has just published a new victim : Lone Rock Timber: Lone Rock is a timber company. We are ready to upload 25GB files of corporate documents such as: personal employee data, financials, agreements and contracts, etc.
  • 🏴‍☠️ Anubis has just published a new victim : Mid South Pulmonary & Sleep Specialists: Patient data breach.
  • 🏴‍☠️ Worldleaks has just published a new victim : Family Farm and Home: [AI generated] Family Farm and Home is a retail chain specializing in agricultural and home improvement products. Founded in 1959 as a single store in Michigan, it now operates across multiple states.
  • 🏴‍☠️ Qilin has just published a new victim : Comansco: N/A
  • **🏴‍☠️ Tengu has just published a new victim : *Rollingertec S.A. – Luxembourg***: Offering integrated solutions in the field of building technology and timber construction, with a special focus on roofs, facades, and metal insulation.
  • 🏴‍☠️ Nova has just published a new victim : Caros co: South Korea. It was founded in 2009. It is engaged in the production and sale of general-purpose vehicles. Among the products: an ice maker, a water purifier, a water heater and others.
  • 🏴‍☠️ Qilin has just published a new victim : ERR Raumplaner: N/A
  • 🏴‍☠️ Qilin has just published a new victim : Bcfpers: N/A
  • 🏴‍☠️ Qilin has just published a new victim : United Volleyball Supply: N/A