Ransomware Update – 2025-12-06

[Content by Gemini 2.5]

Latest Ransomware News and New File Extensions

  • Clop Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Exploitation of a zero-day vulnerability in Oracle E-business Suite software for data theft.
    • Targets: Barts Health NHS Trust, a major UK healthcare provider.
    • Decryption Status: This was a data exfiltration attack; the focus is on stolen data rather than encryption. No decryption information is available.
    • Source: Barts Health NHS discloses data breach after Oracle zero-day hack

  • Akira Ransomware:

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: Data exfiltration and extortion via its leak site.
    • Targets: Multiple organizations across various sectors, including Sieger design (design), Advanced Power (energy), Rosland Capital (finance), Foster & Eldridge (legal), and Consolidated Sterilizer Systems (manufacturing).
    • Decryption Status: No information on decryption; the group is threatening to publish stolen data.
    • Source: Ransomware leak site announcements

  • Qilin Ransomware:

    • New Encrypted File Extension: Not specified in reports.
    • Attack Methods: Data theft and publication on its leak site for extortion.
    • Targets: A wide range of businesses, including Beecher Walker Architects, Kana Pipeline Inc, Towerstream, and Shumate Mechanical.
    • Decryption Status: No known decryption tools or information.
    • Source: Ransomware leak site announcements

  • LockBit 3.0:

    • Prominent Details: The group has demonstrated operational resilience by launching a new, more secure leak site domain (“lockbit 5.0”) following previous takedown efforts by law enforcement.
    • Source: Ransomware leak site announcements

  • Unspecified Ransomware:

    • New Encrypted File Extension: Not specified.
    • Attack Methods: Not specified; resulted in a data breach.
    • Targets: Inotiv, an American pharmaceutical firm.
    • Decryption Status: No information available; the company is notifying affected individuals about the data theft.
    • Source: Pharma firm Inotiv discloses data breach after ransomware attack

Observations and Further Recommendations

  • Rapid Weaponization of Vulnerabilities: Threat actors, particularly state-sponsored groups from China, are exploiting critical vulnerabilities like React2Shell (CVE-2025-55182) within hours of public disclosure. This highlights the extremely short window for defenders to apply patches.
  • High Volume of Ransomware Attacks: A large number of ransomware groups (including Akira, Qilin, Safepay, Anubis, Dragonforce, and others) are actively listing new victims, indicating a widespread and persistent threat to organizations across all sectors and sizes.
  • Critical Infrastructure at Risk: The attacks on Barts Health NHS Trust (healthcare) and the warnings about the BRICKSTORM backdoor in VMware environments show a continued focus on critical infrastructure targets.
  • Recommendation: Organizations must prioritize immediate patching of critical vulnerabilities, especially those listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog like the React2Shell flaw. Proactive attack surface management is crucial for defense.

News Details

  • Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.
  • Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails: A new agentic browser attack targeting Perplexity’s Comet browser that’s capable of turning a seemingly innocuous email into a destructive action that wipes a user’s entire Google Drive contents, findings from Straiker STAR Labs show.
  • Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch: A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.
  • Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability: Two hacking groups with ties to China have been observed weaponizing the newly disclosed security flaw in React Server Components (RSC) within hours of it becoming public knowledge.
  • Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery: A human rights lawyer from Pakistan’s Balochistan province received a suspicious link on WhatsApp from an unknown number, marking the first time a civil society member in the country was targeted by Intellexa’s Predator spyware, Amnesty International said in a report.
  • “Getting to Yes”: An Anti-Sales Guide for MSPs: Most MSPs and MSSPs know how to deliver effective security. The challenge is helping prospects understand why it matters in business terms.
  • CISA Reports PRC Hackers Using BRICKSTORM for Long-Term Access in U.S. Systems: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People’s Republic of China (PRC) to maintain long-term persistence on compromised systems.
  • JPCERT Confirms Active Command Injection Attacks on Array AG Gateways: A command injection vulnerability in Array Networks AG Series secure access gateways has been exploited in the wild since August 2025, according to an alert issued by JPCERT/CC this week.
  • Silver Fox Uses Fake Microsoft Teams Installer to Spread ValleyRAT Malware in China: The threat actor known as Silver Fox has been spotted orchestrating a false flag operation to mimic a Russian threat group in attacks targeting organizations in China.
  • Barts Health NHS discloses data breach after Oracle zero-day hack: Barts Health NHS Trust has announced that Clop ransomware actors have stolen files from a database by exploiting a vulnerability in its Oracle E-business Suite software.
  • FBI warns of virtual kidnapping scams using altered social media photos: The FBI warns of criminals altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams.
  • EU fines X $140 million over deceptive blue checkmarks: The European Commission has fined X €120 million ($140 million) for violating transparency obligations under the Digital Services Act (DSA).
  • Cloudflare blames today’s outage on React2Shell mitigations: Cloudflare has blamed today’s outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks.
  • Pharma firm Inotiv discloses data breach after ransomware attack: American pharmaceutical firm Inotiv is notifying thousands of people that they’re personal information was stolen in an August 2025 ransomware attack.
  • Critical React2Shell flaw actively exploited in China-linked attacks: Multiple China-linked threat actors began exploiting the React2Shell vulnerability (CVE-2025-55182) affecting React and Next.js just hours after the max-severity issue was disclosed.
  • Cloudflare down, websites offline with 500 Internal Server Error: Cloudflare is down, as websites are crashing with a 500 Internal Server Error. Cloudflare is investigating the reports.
  • Hackers are exploiting ArrayOS AG VPN flaw to plant webshells: Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.
  • Predator spyware uses new infection vector for zero-click attacks: The Predator spyware from surveillance company Intellexa has been using a zero-click infection mechanism dubbed “Aladdin” that compromised specific targets when simply viewing a malicious advertisement.
  • CISA warns of Chinese “BrickStorm” malware attacks on VMware servers: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned network defenders of Chinese hackers backdooring VMware vSphere servers with Brickstorm malware.
  • React2Shell Vulnerability Under Attack From China-Nexus Groups: A maximum-severity vulnerability affecting the React JavaScript library has been exploited in the wild, further stressing the need to patch now.
  • CISA Warns of ‘Ongoing’ Brickstorm Backdoor Attacks: State-sponsored actors tied to China continue to target VMware vSphere environments at government and technology organizations.
  • 🏴‍☠️ Handala has just published a new victim : From Shield to Shame: The veil has finally been lifted. The main architects behind Israel’s so-called “Iron Dome” have now been exposed to the world.
  • 🏴‍☠️ Lynx has just published a new victim : Trucash: TruCash is a modern platform for fast, secure, and convenient financial transactions.
  • 🏴‍☠️ Coinbasecartel has just published a new victim : Renesas Electronics: Renesas Electronics Corporation delivers trusted embedded design innovation with complete semiconductor solutions.
  • 🏴‍☠️ Rhysida has just published a new victim : SODISE: SODISE
  • 🏴‍☠️ Qilin has just published a new victim : Towerstream: N/A
  • 🏴‍☠️ Datacarry has just published a new victim : Camomilla: Camomilla is an Italian brand renowned for its elegant accessories and refined clothing.
  • 🏴‍☠️ Anubis has just published a new victim : Trumbull County: The Internal Story of a County in the State of Ohio.
  • 🏴‍☠️ Incransom has just published a new victim : bennett.edu: Bennett College is a liberal arts college located in North Carolina, dedicated to empowering women through education.
  • 🏴‍☠️ Safepay has just published a new victim : mmc.de: MMC Studios is a major German media-production and facility company headquartered in Cologne.
  • 🏴‍☠️ Dragonforce has just published a new victim : King City Lumber: King City Lumber is a well-established provider of quality lumber and building materials, specializing in custom metal structures for over 50 years in the Midwest.
  • 🏴‍☠️ Nitrogen has just published a new victim : AvtechTyee: AvtechTyee is a company operating in the aerospace and defense industries.
  • 🏴‍☠️ Akira has just published a new victim : Sieger design: Sieger design specializes in developing comprehensive brand strat\negies and distinctive products that are significant and success-o\nriented.
  • 🏴‍☠️ Interlock has just published a new victim : Fargo Park District: Fargo Park District, with over 2,100 acres of land, is divided into Finance, Enterprise, Events, Operations, Programming and Facilities, Human Resources, Valley Senior Services and Courts, and Community Physical Activity.
  • 🏴‍☠️ Lockbit3 has just published a new victim : new blog domain lockbit 5.0: New secure blog domain, with a multi-layered protection system against all-powerful FBI agents lockbitapt67g6rwzjbcxnww5efpg4qok6vpfeth7wx3okj52ks4wtad.onion
  • 🏴‍☠️ Spacebears has just published a new victim : Slimsoft: Software and website developmentOver 25 years of experience in developing software and websites according to customer needs and requirements…
  • 🏴‍☠️ Nova has just published a new victim : National Health Insurance Management Authority: The National Health Insurance Scheme (NHIS) provides access to quality healthcare services, essential medicines, and state-of-the-art medical equipment.