Ransomware Update – 2025-11-30

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; articles announce new victims on the group’s leak site.
    • Targets: A wide range of organizations including Battaglioli, Asia Condominium Association, Bomchil, TBC Consoles, CJW, Chenango Valley Technologies, Zoya, Weiss, Kleber and Associates, and Williamson County, TX.
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

  • Dragonforce:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; article announces a new victim on the group’s leak site.
    • Targets: Division 10 Inc, a company in the construction industry.
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

  • Blackshrantac:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; articles announce new victims on the group’s leak site.
    • Targets: Rasen Insaat Ve Yatirim Ticaret A.S. and Badan Pengelola Keuangan Haji (an Indonesian government financial agency).
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

  • Tridentlocker:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; articles announce new victims on the group’s leak site.
    • Targets: Multiple entities including GuestTek (hospitality tech), Advantage 360 (telecom software), iqs, LMG Holdings (ignition interlock devices), EnQuest (oil & gas), and Calmec (manufacturing).
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

  • Handala:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; appears to be politically motivated doxing and extortion targeting specific individuals.
    • Targets: Individuals associated with Israel, including a former Head of Cyber Security at IDF Unit 8200 and the “Chief Nuclear Architect of the Zion Regime.”
    • Decryption Status: Not applicable; the group focuses on data leaks rather than encryption.
    • Source: Ransomware activity monitoring feed.

  • Thegentlemen:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; article announces a new victim on the group’s leak site.
    • Targets: Everbiz Industrial Co. Ltd., an industrial manufacturing company.
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

  • Incransom:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Not specified; article announces a new victim on the group’s leak site.
    • Targets: Valley View ISD (vviewisd.net), a school district in Texas.
    • Decryption Status: Not specified; no known public decryption tool.
    • Source: Ransomware activity monitoring feed.

Observations and Further Recommendations

  • Ransomware activity remains high, with numerous groups actively publishing victims across a diverse range of industries, including technology, government, construction, education, and manufacturing.
  • The victim announcements serve as a tactic to pressure organizations into paying the ransom by publicizing the breach.
  • The Handala group’s activities highlight a trend of politically motivated cyberattacks focused on leaking sensitive information about specific individuals rather than broad encryption campaigns.
  • Organizations should prioritize cybersecurity fundamentals: maintain offline backups of critical data, ensure timely patching of all systems, enforce multi-factor authentication (MFA), and conduct regular security awareness training for employees.

News Details

  • CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation. The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw.
  • Japanese beer giant Asahi says data breach hit 1.5 million people: Asahi Group Holdings, Japan’s largest beer producer, has finished the investigation into the September cyberattack and found that the incident has impacted up to 1.9 million individuals.
  • Leak confirms OpenAI is preparing ads on ChatGPT for public roll out: OpenAI is now internally testing ‘ads’ inside ChatGPT that could redefine the web economy.
  • Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison: A 44-year-old man was sentenced to seven years and four months in prison for operating an “evil twin” WiFi network to steal the data of unsuspecting travelers at various airports across Australia.
  • Microsoft: Windows updates make password login option invisible: Microsoft warned users that Windows 11 updates released since August may cause the password sign-in option to disappear from the lock screen options, even though the button remains functional.
  • Public GitLab repositories exposed more than 17,000 secrets: After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains.
  • 🏴‍☠️ Qilin has just published a new victim : Battaglioli: N/A
  • 🏴‍☠️ Dragonforce has just published a new victim : Division 10: Division 10 Inc is a company based in Memphis, Tennessee, specializing in supplying specialty products to the construction industry since 1989.
  • 🏴‍☠️ Blackshrantac has just published a new victim : Badan Pengelola Keuangan Haji: “Badan Pengelola Keuangan Haji” (BPKH) is an agency overseen by the Indonesian Government. Its primary responsibility is to handle and manage the finances related to the Hajj pilgrimage for Indonesian Muslims.
  • 🏴‍☠️ Tridentlocker has just published a new victim : GuestTek: GuestTek is a global company that specializes in delivering and managing communications and connectivity services for the hospitality industry.
  • 🏴‍☠️ Handala has just published a new victim : 8200 Unit corpses: WANTED – $10,000 REWARD Ron Weinberg Email: [email protected] Phone: +972 53 279 0256 Ron Weinberg is currently under investigation. He is an experienced cyber security and network research specialist, formerly Head of Cyber Security and Network Research at the IDF 8200 Unit.
  • 🏴‍☠️ Thegentlemen has just published a new victim : Everbiz Industrial Co. Ltd.: Since that time, we have manufactured thousands of assemblies for a wide variety of industrial. Many biggest 1000 companies have come to rely on our unique process to fulfill their requirements.
  • 🏴‍☠️ Incransom has just published a new victim : vviewisd.net: Valley View ISD was one of only fifteen districts in the entire state of Texas to receive this rating. We are extremely proud of our students and staff for this great accomplishment.