Ransomware Update – 2025-12-05

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Akira:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration for public extortion. The group claims to have stolen 24GB of corporate data from one victim and 63GB from another.
    • Targets: ABC Home & Commercial Services (a commercial services provider) and The Minor Firm (a law firm).
    • Decryption Status: No public decryption tool is available.
    • Source: Provided news feed articles: “🏴‍☠️ Akira has just published a new victim : ABC Home & Commercial Services” and “🏴‍☠️ Akira has just published a new victim : The Minor Firm”

  • Qilin:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and public extortion.
    • Targets: A wide range of industries, including victims such as Kana Pipeline Inc, Medisend, Scientology, Espaço Casa, McManes Law, and Yellow Cab of Columbus.
    • Decryption Status: No public decryption tool is available.
    • Source: Provided news feed articles titled “🏴‍☠️ Qilin has just published a new victim…”

  • Nova:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration, specifically targeting large SQL databases containing sensitive patient information. The group claims to have stolen 100GB of SQL files from a Brazilian health system.
    • Targets: Healthcare organizations, including Nigeria’s National Health Insurance Management Authority and Brazil’s Atenção Primária à Saúde system.
    • Decryption Status: No public decryption tool is available.
    • Source: Provided news feed articles: “🏴‍☠️ Nova has just published a new victim : National Health Insurance Management Authority” and “🏴‍☠️ Nova has just published a new victim : Atenção Primária à Saúde Brazil”

  • Lockbit3:

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: The group announced a new version of its data leak blog (Lockbit 5.0), claiming enhanced protection against law enforcement actions.
    • Targets: This was a general announcement rather than a specific victim disclosure.
    • Decryption Status: No public decryption tool is available for recent versions.
    • Source: Provided news feed article: “🏴‍☠️ Lockbit3 has just published a new victim : new blog domain lockbit 5.0”

  • Other Active Groups (Spacebears, Anubis, Interlock, etc.):

    • New Encrypted File Extension: Not specified in the articles.
    • Attack Methods: Data exfiltration and extortion across multiple groups.
    • Targets: Various sectors, including technology (Slimsoft, Quasar Inc), fire safety (Smith Fire Systems), education (Providence Academy), and logistics (Pioneer Ocean Freight Co., Ltd.).
    • Decryption Status: No public decryption tools are available for these ongoing threats.
    • Source: Various provided news feed articles announcing new victims.

Observations and Further Recommendations

  • There is a high volume of activity from numerous ransomware groups, with Qilin being particularly prolific in targeting a diverse range of industries.
  • The primary tactic observed is data exfiltration for “double extortion,” where gangs threaten to leak stolen sensitive data (financial, personal, legal) to pressure victims into paying.
  • Healthcare and legal sectors remain high-value targets due to the sensitive and confidential nature of the data they manage.
  • Organizations should prioritize robust data protection strategies, network segmentation, and incident response plans. Standard recommendations include maintaining immutable or offline backups, enforcing multi-factor authentication (MFA), and applying security patches in a timely manner.

News Details

  • CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People’s Republic of China (PRC) to maintain long-term persistence on compromised systems.
  • JPCERT Confirms Active Command Injection Attacks on Array AG Gateways: A command injection vulnerability in Array Networks AG Series secure access gateways has been exploited in the wild since August 2025, according to an alert issued by JPCERT/CC this week.
  • Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China: The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.
  • ThreatsDay Bulletin: Wi-Fi Hack, npm Worm, DeFi Theft, Phishing Blasts— and 15 More Stories: Think your Wi-Fi is safe? Your coding tools? Or even your favorite financial apps? This week proves again how hackers, companies, and governments are all locked in a nonstop race to outsmart each other.
  • 5 Threats That Reshaped Web Security This Year [2025]: As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniques, and supply chain compromises affecting hundreds of thousands of websites forced a fundamental rethink of defensive strategies.
  • GoldFactory Hits Southeast Asia with Modified Banking Apps Driving 11,000+ Infections: Cybercriminals associated with a financially motivated group known as GoldFactory have been observed staging a fresh round of attacks targeting mobile users in Indonesia, Thailand, and Vietnam by impersonating government services.
  • Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts: Cloudflare on Wednesday said it detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps).
  • Critical RSC Bugs in React and Next.js Allow Unauthenticated Remote Code Execution: A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution.
  • Discover the AI Tools Fueling the Next Cybercrime Wave — Watch the Webinar: Remember when phishing emails were easy to spot? Bad grammar, weird formatting, and requests from a “Prince” in a distant country? Those days are over.
  • Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation: Microsoft has silently plugged a security flaw that has been exploited by several threat actors since 2017 as part of the company’s November 2025 Patch Tuesday updates, according to ACROS Security’s 0patch.
  • WordPress King Addons Flaw Under Active Attack Lets Hackers Make Admin Accounts: A critical security flaw impacting a WordPress plugin known as King Addons for Elementor has come under active exploitation in the wild.
  • React2Shell critical flaw actively exploited in China-linked attacks: Multiple China-linked threat actors began exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Next.js just hours after the max-severity issue was disclosed.
  • Cloudflare down, websites offline with 500 Internal Server Error: Cloudflare is down, as websites are crashing with a 500 Internal Server Error. Cloudflare is investigating the reports.
  • Hackers are exploiting ArrayOS AG VPN flaw to plant webshells: Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.
  • NCSC’s ‘Proactive Notifications’ warns orgs of flaws in exposed devices: The UK’s National Cyber Security Center (NCSC) announced the testing phase of a new service called Proactive Notifications, designed to inform organizations in the country of vulnerabilities present in their environment.
  • Predator spyware uses new infection vector for zero-click attacks: The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed “Aladdin” that compromised specific targets when simply viewing a malicious advertisement.
  • Russia blocks FaceTime and Snapchat for alleged use by terrorists: Russian telecommunications watchdog Roskomnadzor has blocked access to Apple’s FaceTime video conferencing platform and the Snapchat instant messaging service, claiming they’re being used to coordinate terrorist attacks.
  • CISA warns of Chinese “BrickStorm” malware attacks on VMware servers: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders of Chinese hackers backdooring VMware vSphere servers with Brickstorm malware.
  • Critical React, Next.js flaw lets hackers execute code on servers: A maximum severity vulnerability, dubbed ‘React2Shell’, in the React Server Components (RSC) ‘Flight’ protocol allows remote code execution without authentication in React and Next.js applications.
  • Marquis data breach impacts over 74 US banks, credit unions: Financial software provider Marquis Software Solutions is warning that it suffered a data breach that impacted dozens of banks and credit unions across the US.
  • Critical flaw in WordPress add-on for Elementor exploited in attacks: Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025-8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.
  • CISA, NSA and Cyber Centre Warn Critical Infrastructure of BRICKSTORM Malware Used by People’s Republic of China State-Sponsored Actors: [No introductory text was provided in the article.]
  • CISA Warns of ‘Ongoing’ Brickstorm Backdoor Attacks: State-sponsored actors tied to China continue to target VMware vSphere environments at government and technology organizations.
  • 🏴‍☠️ Lockbit3 has just published a new victim : new blog domain lockbit 5.0: New secure blog domain, with a multi-layered protection system against all-powerful FBI agents lockbitapt67g6rwzjbcxnww5efpg4qok6vpfeth7wx3okj52ks4wtad.onion
  • 🏴‍☠️ Spacebears has just published a new victim : Slimsoft: Software and website developmentOver 25 years of experience in developing software and websites according to customer needs and requirements, while providing existing solutions or building according to customer needs and requirementsSQLOther https://slimsoft.co.il/
  • 🏴‍☠️ Nova has just published a new victim : National Health Insurance Management Authority: The National Health Insurance Scheme (NHIS) provides access to quality healthcare services, essential medicines, and state-of-the-art medical equipment. It aims to facilitate equitable contributions and access to healthcare for individuals and families, protecting them against catastrophic healthcare expenditures.
  • 🏴‍☠️ Anubis has just published a new victim : Smith Fire Systems: A company that provides comprehensive fire protection services for buildings.
  • 🏴‍☠️ Akira has just published a new victim : ABC Home & Commercial Services: ABC Home & Commercial Services is a provider of home and commercial pest control, air conditioning, heating, lawn care and more. We are ready to upload 24gb of corporate data.
  • 🏴‍☠️ Akira has just published a new victim : The Minor Firm: The Minor Firm is a premier law firm located in Northwest Georgia, established for over 40 years. They specialize in complex legal matters… We are ready to upload 63gb of corporate data.
  • SMS Phishers Pivot to Points, Taxes, Fake Retailers: China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites…