Latest Ransomware News and New File Extensions
-
Inc Ransomware:
- New Encrypted File Extension: Not specified in the articles.
- Attack Methods: Data theft and extortion. The group claimed responsibility for an attack on the CodeRED emergency alert platform, stating they stole sensitive subscriber data.
- Targets: OnSolve (operator of CodeRED), oxfordshop.com.au (Australian retailer), Miller Wood Trade Publications, and Enea (a global software company).
- Decryption Status: No decryption tool mentioned.
- Source: CodeRED Emergency Alert Platform Shut Down Following Cyberattack
-
Akira:
- New Encrypted File Extension: Not specified in the articles.
- Attack Methods: Data exfiltration (claiming to have stolen between 10GB to 82GB of data per victim) and publication of victims on its leak site. Exfiltrated data reportedly includes employee PII (SSNs, passports), client information, and financial records.
- Targets: A wide range of US companies, including Wisconsin Knife Works, Martin & Company, Cleveland Construction, Abhe & Svoboda, and Innomotive Solutions Group.
- Decryption Status: No decryption tool mentioned.
- Source: 🏴☠️ Akira has just published a new victim : Wisconsin Knife Works… (and subsequent Akira posts)
-
Rhysida:
- New Encrypted File Extension: Not specified in the articles.
- Attack Methods: Data exfiltration and publication on its leak site to extort victims.
- Targets: Cleveland County Sheriff’s Office (US law enforcement).
- Decryption Status: No decryption tool mentioned.
- Source: 🏴☠️ Rhysida has just published a new victim : Cleveland County Sheriff’s Office
-
Play:
- New Encrypted File Extension: Not specified in the articles.
- Attack Methods: Data exfiltration and publication of victims on its leak site.
- Targets: Organizations across the US, Canada, and South Korea, including University Loft, South Island Public Service District, Clark & Sullivan Constructors, and Aspen Distribution.
- Decryption Status: No decryption tool mentioned.
- Source: 🏴☠️ Play has just published a new victim : University Loft (and subsequent Play posts)
-
Other Active Groups:
- Summary: Multiple other ransomware groups including Dragonforce, Ransomhouse, Qilin, Medusa, Genesis, and Devman were also active, publishing new victims on their respective leak sites.
- Targets: Victims spanned various industries globally, including oil & gas, retail, healthcare, government services, manufacturing, architecture, and education.
- Source: Various threat intelligence posts.
Observations and Further Recommendations
- Ransomware activity remains high, with numerous groups actively targeting a diverse range of sectors, including critical infrastructure (CodeRED emergency alert system) and law enforcement (Cleveland County Sheriff’s Office).
- The primary tactic observed is “double extortion,” where attackers exfiltrate sensitive data and threaten to publish it on leak sites to pressure victims into paying ransoms.
- The sheer volume of victims listed by gangs like Akira and Play indicates widespread and ongoing campaigns targeting businesses of all sizes, particularly in North America.
- To mitigate risks, organizations should prioritize robust cybersecurity measures: patching known vulnerabilities, implementing multi-factor authentication (MFA), maintaining secure and offline data backups, and conducting regular employee security training.
News Details
- CodeRED Emergency Alert Platform Shut Down Following Cyberattack: The Inc ransomware gang took responsibility for the attack earlier this month and claimed it stole sensitive subscriber data.
- Google Patches 107 Android Flaws, Including Two Framework Bugs Exploited in the Wild: Google on Monday released monthly security updates for the Android operating system, including two vulnerabilities that it said have been exploited in the wild. The patch addresses a total of 107 security flaws spanning different components.
- ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware: A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time. Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024.
- New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control: A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a “full spectrum” of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices.
- Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets: The threat actor known as Tomiris has been attributed to attacks targeting foreign ministries, intergovernmental organizations, and government entities in Russia with an aim to establish remote access and deploy additional tools.
- Retail giant Coupang data breach impacts 33.7 million customers: South Korea’s largest retailer, Coupang, has suffered a data breach that exposed the personal information of 33.7 million customers.
- Glassworm malware returns in third wave of malicious VS Code packages: The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms.
- Police Disrupt ‘Cryptomixer,’ Seize Millions in Crypto: Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities.
- Shai-hulud 2.0 Variant Threatens Cloud Ecosystem: The latest attack from the self-replicating npm-package poisoning worm can also steal credentials and secrets from AWS, Google Cloud Platform, and Azure.