Ransomware Update – 2025-12-04

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • DragonForce:

    • New Encrypted File Extension: Not specified in the article.
    • Attack Methods: Collaborates with the “Scattered Spider” hacking group, which specializes in advanced social engineering and initial access, to enable coordinated, multi-stage intrusions.
    • Targets: Major organizations across various environments.
    • Decryption Status: No known decryptor mentioned.
    • Source: Source URL not provided.

  • Multiple Ransomware Gangs (Activity from Leak Sites):

    • New Encrypted File Extension: Not specified in the reports.
    • Attack Methods: Primarily data exfiltration for double extortion, where gangs steal sensitive data and threaten to publish it if the ransom is not paid. Many posts detail the volume and type of data stolen.
    • Targets: A wide variety of organizations across multiple sectors and countries were listed as new victims by numerous gangs, including:
      • Akira: Quality Engineered Homes, Pan-O-Gold Baking Company, Custom Engineered Wheels, Building Controls and Services, Eggelhof, Wynn & Wynn, Fuji Vegetable Oil, Rouse Frets White Goss Gentile Rhodes, and others.
      • Qilin: Yellow Cab of Columbus, IES Synergy, Clayco Electric, Gandía Palace Hotel, Valley Eye Associates, Mainetti UK, and many others.
      • Nightspire: Pioneer Ocean Freight Co., Ltd., Davis Kitchens.
      • Dragonforce: Basra Transports.
      • Sinobi: CCJM, Pathmaker Group, GV Service, Reading Elevator Service, Garrett Taylor, Dds.
      • Incransom: Bison Family Medical Clinics, instyle.com.au.
      • Other active groups: Spacebears, Nova, Interlock, Devman, Nitrogen, Benzona, Rhysida, Ransomhouse, Securotrop, Coinbasecartel, Chaos, Everest, Tridentlocker.
    • Decryption Status: Information not available; focus is on data leaks.
    • Source: Source URL not provided (Compiled from ransomware leak site announcements).

Observations and Further Recommendations

  • The current landscape shows a high volume of activity from numerous ransomware groups. Their primary tactic is data exfiltration and extortion, targeting a diverse range of industries, including manufacturing, legal, healthcare, and logistics.
  • There is a clear trend of collaboration between specialized groups. The partnership between DragonForce and Scattered Spider highlights how ransomware operators leverage initial access brokers to execute more sophisticated and effective attacks.
  • Attackers often exploit periods of reduced security staffing. One article notes that ransomware groups intentionally target enterprises during holidays, weekends, and off-hours, capitalizing on slower response times.
  • To mitigate these threats, organizations should strengthen defenses against initial access vectors like social engineering, ensure 24/7 monitoring capabilities, and maintain a robust, tested incident response plan for weekends and holidays.

News Details

  • 5 Threats That Reshaped Web Security This Year [2025]: As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies.
  • GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections: Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services.
  • Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts: Cloudflare on Wednesday said it detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps).
  • Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution: A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
  • Discover the AI Tools Fueling the Next Cybercrime Wave — Watch the Webinar: Remember when phishing emails were easy to spot? Bad grammar, weird formatting, and requests from a “Prince” in a distant country? Those days are over.
  • Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation: Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company’s November 2025 Patch Tuesday updates, according to ACROS Security’s 0patch.
  • WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts: A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild.
  • Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud: The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate via WhatsApp a worm that deploys a banking trojan in attacks targeting users in Brazil.
  • Chopping AI Down to Size: Turning Disruptive Technology into a Strategic Advantage: Most people know the story of Paul Bunyan. A giant lumberjack, a trusted axe, and a challenge from a machine that promised to outpace him. Paul doubled down on his old way of working, swung harder, and still lost by a quarter inch.
  • Picklescan Bugs Allow Malicious PyTorch Models to Evade Scans and Execute Code: Three critical security flaws have been disclosed in an open-source utility called Picklescan that could allow malicious actors to execute arbitrary code by loading untrusted PyTorch models, effectively bypassing the tool’s protections.
  • Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems: Cybersecurity researchers have discovered a malicious Rust package that’s capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool.
  • India Orders Messaging Apps to Work Only With Active SIM Cards to Prevent Fraud and Misuse: India’s Department of Telecommunications (DoT) has issued directions to app-based communication service providers to ensure that the platforms cannot be used without an active SIM card linked to the user’s mobile number.
  • Accelerating VMware migrations with a factory model approach: In 1913, Henry Ford cut the time it took to build a Model T from 12 hours to just over 90 minutes. He accomplished this feat through a revolutionary breakthrough in process design: Instead of skilled craftsmen building a car from scratch by hand, Ford created an assembly line where standardized tasks happened in sequence, at scale.
  • Marquis data breach impacts over 74 US banks, credit unions: Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • Critical flaw in WordPress add-on for Elementor exploited in attacks: Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.
  • French DIY retail giant Leroy Merlin discloses a data breach: Leroy Merlin is sending security breach notifications to customers in France, informing them that their personal data was compromised.
  • Freedom Mobile discloses data breach exposing customer data: Freedom Mobile, the fourth-largest wireless carrier in Canada, has disclosed a data breach after attackers hacked into its customer account management platform and stole the personal information of an undisclosed number of customers.
  • Russia blocks Roblox over distribution of LGBT “propaganda”: Roskomnadzor, Russia’s telecommunications watchdog, has blocked access to the Roblox online gaming platform for failing to stop the distribution of what it described as LGBT propaganda and extremist materials.
  • Google expands Android scam protection feature to Chase, Cash App in U.S.: Google is expanding support for its Android’s in-call scam protection to multiple banks and financial applications in the United States.
  • Microsoft “mitigates” Windows LNK flaw exploited as zero-day: Microsoft has silently “mitigated” a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks.
  • Deep dive into DragonForce ransomware and its Scattered Spider connection: DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the “Scattered Spider” collaboration enables coordinated, multistage intrusions across major environments.
  • Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack: In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second.
  • University of Phoenix discloses data breach after Oracle hack: The University of Phoenix (UoPX) has joined a growing list of U.S. universities breached in a Clop data theft campaign targeting vulnerable Oracle E-Business Suite instances in August 2025.
  • Korea arrests suspects selling intimate videos from hacked IP cameras: The Korean National Police have arrested four individuals suspected of hacking over 120,000 IP cameras across the country and then selling stolen footage to a foreign adult site.
  • FTC settlement requires Illuminate to delete unnecessary student data: The Federal Trade Commission (FTC) is proposing that education technology provider Illuminate Education to delete unnecessary student data and improve its security to settle allegations related to an incident in 2021 that exposed info of 10 million students.
  • ChatGPT is down worldwide, conversations disappeared for users: OpenAI’s AI-powered ChatGPT is down worldwide with users receiving errors when attempting to access chats, with no reasons currently given.
  • ‘MuddyWater’ Hackers Target Israeli Orgs With Retro Game Tactic: Iran’s top state-sponsored APT is usually rather crass. But in a recent spate of attacks, it tried out some interesting evasion tactics, including delving into Snake, an old-school mobile game.
  • ‘ShadyPanda’ Hackers Weaponize Millions of Browsers: The China-based cyber-threat group has been quietly using malicious extensions on the Google Chrome and Microsoft Edge marketplaces to spy on millions of users.
  • Critical React Flaw Triggers Calls for Immediate Action: The vulnerability, which was assigned two CVEs with maximum CVSS scores of 10, may affect more than a third of cloud service providers.
  • Arizona AG Sues Temu Over ‘Stealing’ User Data: The suit alleges the Chinese retailer’s app secretly accesses and harvests users’ sensitive information without their knowledge or consent.
  • The Ransomware Holiday Bind: Burnout or Be Vulnerable: Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.
  • AI Bolsters Python Variant of Brazilian WhatsApp Attacks: Water Saci has upgraded its self-propagating malware to compromise banks and cryptocurrency exchanges by targeting enterprise users of the popular chat app.
  • China Researches Ways to Disrupt Satellite Internet: While satellite constellations — such as Starlink — are resilient, 2,000 drones could cut communications to a region the size of Taiwan, researchers find.
  • 🏴‍☠️ Nightspire has just published a new victim : Pioneer Ocean Freight Co., Ltd.: Pioneer Ocean Freight Co., Ltd.
  • 🏴‍☠️ Qilin has just published a new victim : Yellow Cab of Columbus: N/A
  • 🏴‍☠️ Spacebears has just published a new victim : Quasar Inc: Quasar, Inc. specializes in high-quality design, implementation support, and related services tailored for the telecommunications industry. Since 1997, the company has set a benchmark with efficient and cost-effective network designs implemented across five continents and over 100 cities.
  • 🏴‍☠️ Nova has just published a new victim : Atenção Primária à Saúde Brazil: Atenção Primária à Saúde is system provided by Ministério da Saúde of brazil, we have exf all sql files (100GB of SQL files) from them systems and clouds, millions of patients records, 50M> records lines…
  • 🏴‍☠️ Qilin has just published a new victim : IES Synergy: N/A
  • 🏴‍☠️ Sinobi has just published a new victim : CCJM: CCJM is a multi-disciplined engineering firm that has been providing client-focused engineering solutions since 1979. Their services include buildings and facilities, civil/site work, construction management and inspection, energy solutions, smart technology, surveying, transportation, and water/wastewater management.
  • 🏴‍☠️ Dragonforce has just published a new victim : Basra Transports: Basra Transports is a transportation and logistics company that handles freight transportation across North America, including the United States and Canada.