Ransomware Update – 2025-12-03

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration for double extortion. The group claims to have stolen corporate documents, personal employee data (passports, SSNs), client information, and financial files.
    • Targets: A diverse range of industries including manufacturing (Wisconsin Knife Works, Toledo Transducers, Prismier), financial services (The Smith Companies), engineering (Jewell Engineering), logistics (Next Generation Logistics), and custom signage (Ziglin Signs).
    • Decryption Status: No public decryptor is available.
    • Source: 🏴‍☠️ Akira has just published a new victim : Wisconsin Knife Works, The Smith Companies…

  • Inc Ransom (Incransom):

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion. The group took responsibility for the cyberattack that shut down the CodeRED emergency alert platform. It also claims to possess large volumes of data from other victims (e.g., 150GB-500GB).
    • Targets: Critical infrastructure (CodeRED), healthcare (bisonfamilymedical.com, www.precipiodx.com), retail (instyle.com.au, oxfordshop.com.au), and services (American Pools & Spas).
    • Decryption Status: No public decryptor is available.
    • Source: CodeRED Emergency Alert Platform Shut Down Following Cyberattack; 🏴‍☠️ Incransom has just published a new victim…

  • Qilin:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and public shaming on its leak site.
    • Targets: A wide variety of international organizations across multiple sectors, including non-profits (France terre d’asile), legal services (Tlusty & Kennedy), technology (Virtualware Solutions), and manufacturing.
    • Decryption Status: No public decryptor is available.
    • Source: 🏴‍☠️ Qilin has just published a new victim : Moyes

  • Dragonforce:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Transportation and logistics (Basra Transports), entertainment (Immling Festival), energy (Capital Star Oil & Gas Inc.), and telecommunications retail (Mobilelink USA).
    • Decryption Status: No public decryptor is available.
    • Source: 🏴‍☠️ Dragonforce has just published a new victim : Basra Transports

  • Rhysida:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Data exfiltration and extortion.
    • Targets: Government and law enforcement entities, including the Cleveland County Sheriff’s Office.
    • Decryption Status: No public decryptor is available.
    • Source: 🏴‍☠️ Rhysida has just published a new victim : Cleveland County Sheriff’s Office

  • Multiple Other Groups (Chaos, Everest, Play, Ransomhouse, Sinobi):

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: Data exfiltration and posting victim names on dedicated leak sites to pressure them into paying a ransom.
    • Targets: Highly varied, including major technology companies (ASUS), financial tech (Exegy), manufacturing (dakkota.com), healthcare (Garrett Taylor, Dds), construction (Clark & Sullivan Constructors), and distribution (Aspen Distribution).
    • Decryption Status: No public decryptors are available for these ongoing campaigns.
    • Source: Various victim posts from Chaos, Everest, Play, Ransomhouse, Sinobi and others.

Observations and Further Recommendations

  • There is a high volume of activity from numerous ransomware and extortion groups, indicating a persistent and widespread threat landscape.
  • Attackers are targeting a broad and indiscriminate range of sectors globally, including manufacturing, technology, healthcare, and critical public services like emergency alerts and law enforcement. No industry appears to be safe.
  • The primary tactic observed is double extortion, where sensitive data is stolen before encryption (or sometimes without it), with the threat of a public data leak used as leverage to force ransom payments.
  • To mitigate risks, organizations should prioritize robust cybersecurity measures: maintain offline, encrypted backups of critical data; enforce strong, unique passwords and multi-factor authentication (MFA) everywhere possible; segment networks to limit lateral movement; and conduct regular security awareness training for all employees.

News Details

  • Chopping AI Down to Size: Turning Disruptive Technology into a Strategic Advantage: Most people know the story of Paul Bunyan. A giant lumberjack, a trusted axe, and a challenge from a machine that promised to outpace him. Paul doubled down on his old way of working, swung harder, and still lost by a quarter inch. His mistake was not losing the contest. His mistake was assuming that effort alone could outmatch a new kind of tool.
  • Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code: Three critical security flaws have been disclosed in an open-source utility called Picklescan that could allow malicious actors to execute arbitrary code by loading untrusted PyTorch models, effectively bypassing the tool’s protections.
  • Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems: Cybersecurity researchers have discovered a malicious Rust package that’s capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool.
  • India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse: India’s Department of Telecommunications (DoT) has issued directions to app-based communication service providers to ensure that the platforms cannot be used without an active SIM card linked to the user’s mobile number.
  • Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera: A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea’s most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group’s Famous Chollima division.
  • GlassWorm Returns with 24 Malicious Extensions Impersonating Popular Developer Tools: The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue.
  • Malicious npm Package Uses Hidden Prompt and Script to Evade AI Security Tools: Cybersecurity researchers have disclosed details of an npm package that attempts to influence artificial intelligence (AI)-driven security scanners.
  • Iran-Linked Hackers Hit Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks: Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper.
  • SecAlerts Cuts Through the Noise with a Smarter, Faster Way to Track Vulnerabilities: Vulnerability management is a core component of every cybersecurity strategy. However, businesses often use thousands of software without realising it (when was the last time you checked?), and keeping track of all the vulnerability alerts, notifications, and updates can be a burden on resources and often leads to missed vulnerabilities.
  • Google Patches 107 Android Flaws, Including Two Framework Bugs Exploited in the Wild: Google on Monday released monthly security updates for the Android operating system, including two vulnerabilities that it said have been exploited in the wild.
  • India Orders Phone Makers to Pre-Install Government App to Tackle Telecom Fraud: India’s telecommunications ministry has ordered major mobile device manufacturers to preload a government-backed cybersecurity app named Sanchar Saathi on all new phones within 90 days.
  • ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware: A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time.
  • Korea arrests suspects selling intimate videos from hacked IP cameras: The Korean National Police have arrested four individuals suspected of hacking over 120,000 IP cameras across the country and then selling stolen footage to a foreign adult site.
  • FTC settlement requires Illuminate to delete unnecessary student data: The Federal Trade Commission (FTC) is proposing that education technology provider Illuminate Education to delete unnecessary student data and improve its security to settle allegations related to an incident in 2021 that exposed info of 10 million students.
  • ChatGPT is down worldwide, conversations disappeared for users: OpenAI’s AI-powered ChatGPT is down worldwide with users receiving errors when attempting to access chats, with no reasons currently given.
  • Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets: The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM (Node Package Manager) registry and publishing stolen data in 30,000 GitHub repositories.
  • Microsoft Defender portal outage disrupts threat hunting alerts: Microsoft is working to mitigate an ongoing incident that has been blocking access to some Defender XDR portal capabilities, including threat hunting alerts.
  • Cybercrime Goes SaaS: Renting Tools, Access, and Infrastructure: Cybercrime has fully shifted to a subscription model, with phishing kits, Telegram OTP bots, infostealer logs, and even RATs now rented like SaaS tools. Varonis explains how this “crime-as-a-service” economy lowers the barrier to entry and gives low-skill attackers on-demand access to advanced capabilities.
  • North Korea lures engineers to rent identities in fake IT worker scheme: In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising.
  • Google fixes two Android zero days exploited in attacks, 107 flaws: Google has released the December 2025 Android security bulletin, addressing 107 vulnerabilities, including two flaws actively exploited in targeted attacks.
  • Fake Calendly invites spoof top brands to hijack ad manager accounts: An ongoing phishing campaign impersonates popular brands, such as Unilever, Disney, MasterCard, LVMH, and Uber, in Calendly-themed lures to steal Google Workspace and Facebook business account credentials.
  • Microsoft: KB5070311 triggers File Explorer white flash in dark mode: Microsoft has confirmed that the KB5070311 preview update is triggering bright white flashes when launching the File Explorer in dark mode on Windows 11 systems.
  • University of Pennsylvania confirms new data breach after Oracle hack: The University of Pennsylvania (Penn) has confirmed a new data breach after attackers stole documents containing personal information from its Oracle E-Business Suite servers in August.
  • Windows 11 KB5070311 update fixes File Explorer freezes, search issues: Microsoft has released the KB5070311 preview cumulative update for Windows 11 systems, which includes 49 changes, including fixes for File Explorer freezes and search issues.
  • The Polaroid Flip, my favorite retro instant camera, is cheaper than ever: I love instant cameras because of how they help me slow down and be creative without the distractions of a phone. Holding a real print also feels grounding in a screen-dominated age, which is why I think a lot of people these days are drawn to them — and why models with old-school vibes like the Polaroid Flip make such great gifts.
  • Indiegogo is launching ‘Express Crowdfunding’ so creators can ship things sooner: Indiegogo is planning to launch a new “Express Crowdfunding” campaign format that lets creators ship things while the campaign is ongoing instead of forcing creators to wait until the campaign is over.
  • Google is experimentally replacing news headlines with AI clickbait nonsense: “BG3 players exploit children,” reads a Google AI-generated headline. Did you know that BG3 players exploit children? Are you aware that Qi2 slows older Pixels? If we wrote those misleading headlines, readers would rip us a new one – but Google is experimentally beginning to replace the original headlines on stories it serves with AI nonsense like that.
  • Amazon’s bet that AI benchmarks don’t matter: Amazon’s AI chief has a message for the model benchmark obsessives: Stop looking at the leaderboards. “I want real-world utility. None of these benchmarks are real,” Rohit Prasad, Amazon’s SVP of AGI, told me ahead of today’s announcements at AWS re:Invent in Las Vegas.
  • Silicon Valley is rallying behind a guy who sucks: Hello and welcome to Regulator, a newsletter for Verge subscribers that covers the political intrigue and power struggles between Big Tech and Big Government. Subscribe here for a weekly dispatch of tech oligarchs fighting regular oligarchs.
  • Helldivers 2’s new ‘slim’ version saves 131GB of space on your drive: If you’ve been short on storage on your PC, the latest Helldivers 2 beta update might help. The developers said Tuesday they’ve managed to cut down the PC file size for Helldivers 2 by about 85 percent, freeing up enough space for at least one or two more large games.
  • HBO Max’s Mad Men 4K release is the opposite of a remaster: Though HBO Max was very proud to announce that it would be the first platform to stream Mad Men in 4K, the show’s new rollout has been an absolute mess.
  • Roborock’s powerful Saros 10 robovac is still at its lowest price ever: Black Friday and Cyber Monday brought some of the best deals of the year on robot vacuums. One of the handful of great discounts remaining is on the Roborock Saros 10, which we recently crowned the runner-up in our buying guide to the best robovac you can buy.
  • The Switch 2 is still on sale at multiple retailers if you missed out during Cyber Monday: One of the biggest surprises of Cyber Monday was the excellent discount we saw on the Nintendo Switch 2 Mario Kart World console bundle, which dropped in price by $50. We expected the price to return to normal once the shopping holiday ended, but — surprise, surprise — it’s still going strong.
  • Steam Machine today, Steam Phones tomorrow: It’s a big deal that Valve is making a game console. But I’m beginning to think the Steam Machine may end up a footnote in gaming history. What if Valve could bring PC games not just to its own living room consoles, but also to the Arm chips that billions of people have in their phones?
  • China Researches Ways to Disrupt Satellite Internet: While satellite constellations — such as Starlink — are resilient, 2,000 drones could cut communications to a region the size of Taiwan, researchers find.
  • While ECH Adoption Is Low, Risks Remain for Enterprises, End Users: Is the new privacy protocol helping malicious actors more than Internet users?
  • Iran’s ‘MuddyWater’ Levels Up With MuddyViper Backdoor: New Fooder loader and memory-only tactics suggest MuddyWater has evolved from its usual noisy ops to more stealthy espionage operations.
  • Researchers Use Poetry to Jailbreak AI Models: When prompts were presented in poetic rather than prose form, attack success rates increased from 8% to 43%, on average — a fivefold increase.
  • New Raptor Framework Uses Agentic Workflows to Create Patches: Researchers utilized prompts and large language models to develop an open-source AI framework capable of generating both vulnerability exploits and patches.
  • DPRK’s ‘Contagious Interview’ Spawns Malicious Npm Package Factory: North Korean attackers have delivered more than 197 malicious packages with 31K-plus downloads since Oct. 10, as part of ongoing state-sponsored activity to compromise software developers.
  • Tomiris Unleashes ‘Havoc’ With New Tools, Tactics: The Russian-speaking group is targeting government and diplomatic entities in CIS member states and Central Asia in its latest cyber-espionage campaign.
  • CodeRED Emergency Alert Platform Shut Down Following Cyberattack: The Inc ransomware gang took responsibility for the attack earlier this month and claimed it stole sensitive subscriber data.
  • Police Disrupt ‘Cryptomixer,’ Seize Millions in Crypto: Multiple European law enforcement agencies recently disrupted Cryptomixer, a service allegedly used by cybercriminals to launder ill-gotten gains from ransomware and other cyber activities.
  • 🏴‍☠️ Akira has just published a new victim : Wisconsin Knife Works, The Smith Companies, Envirotech Services, Next Generation Logistics…: Here is the access to 17gb of the following companies: Wisconsin Knife Works is a leader in tooling and precision manufacturing of woodworking cutting tools, backed by over 90 years of experience.
  • 🏴‍☠️ Incransom has just published a new victim : bisonfamilymedical.com: Bison Family Medical Clinics provides high-quality medical care through family practice and walk-in services across four locations in Winnipeg.
  • 🏴‍☠️ Incransom has just published a new victim : instyle.com.au: INSTYLE is a leading supplier of design-driven, commercial-quality textiles and vinyls for interiors, including office, hospitality, healthcare, public building, transport, public space and high-end residential interiors.
  • 🏴‍☠️ Dragonforce has just published a new victim : Basra Transports: Basra Transports is a transportation and logistics company that handles freight transportation across North America, including the United States and Canada.
  • 🏴‍☠️ Rhysida has just published a new victim : Cleveland County Sheriff’s Office: Cleveland County Sheriff’s Office