News Week: November 10th to November 16th, 2025

Guilty Plea in U.S. Case Against Yanluowang Access Broker

A Russian national has agreed to plead guilty to acting as an initial access broker for the Yanluowang ransomware operation, providing network entry points to attackers who later launched targeted intrusions across several U.S. companies between 2021 and 2022. FBI investigators uncovered key evidence through server data, cryptocurrency records, and Apple iCloud information, including chats in which the defendant negotiated payments with an accomplice. Two victim organizations ultimately paid around $1.5 million in ransom, with blockchain analysis linking portions of those funds to wallets supplied by the broker. Among the recovered materials was also a screenshot showing communication with a user named LockBit, hinting at potential ties to additional threat actors. The defendant now faces up to 53 years in prison and must repay more than $9 million in restitution to the affected companies.

CISA Urges Rapid Patching After Samsung Zero-Day Enables Spyware Attacks

CISA has instructed U.S. federal agencies to urgently patch a Samsung zero-day vulnerability, identified as CVE-2025-21042, after it was exploited to deploy the LandFall spyware through malicious DNG files sent via WhatsApp. The flaw—an out-of-bounds write bug in Samsung’s libimagecodec.quram.so—allows remote code execution on Android 13 and newer devices. Although Samsung issued a fix in April, researchers later confirmed that the zero-day had been actively abused since mid-2024 to compromise flagship devices such as the Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4. LandFall grants attackers extensive access, including location tracking, call and audio recordings, browsing history, and personal data. CISA has now added the zero-day to its Known Exploited Vulnerabilities catalog and given federal agencies until December 1 to secure their devices. The agency also recommends that all organizations apply the patch immediately to reduce exposure to ongoing zero-day exploitation.

GlobalLogic Alerts 10,000 Staff After Oracle Zero-Day Leads to Clop Ransomware Data Theft

GlobalLogic has begun notifying more than 10,000 current and former employees after attackers leveraged an Oracle E-Business Suite zero-day to steal sensitive HR data. According to the company’s breach filing, threat actors accessed the Oracle platform as early as July 2025 and exfiltrated information including names, contact details, identification numbers, bank information, and even passport data. Investigators say the intrusion was isolated to the Oracle environment, but the timeline and method strongly resemble an ongoing extortion campaign run by the Clop ransomware group. Clop has been exploiting an Oracle EBS zero-day to steal data from numerous organizations and has already posted victims such as Harvard University and Envoy Air on its leak site. While GlobalLogic has not appeared there yet, Clop ransomware actors have claimed responsibility, suggesting ongoing negotiations or a possible payment.

Synnovis Confirms Data Exposure After 2024 Ransomware Attack Linked to Qilin

Synnovis has begun notifying healthcare partners that patient data was stolen during the June 2024 ransomware incident attributed to the Qilin ransomware group. The organisation, which supports major NHS hospitals through its pathology services, says the breached data was highly fragmented and required extensive forensic reconstruction over the past year. The stolen information includes NHS numbers, names, dates of birth and, in some cases, test results, though much of it reportedly needs clinical expertise to interpret. The Qilin operation severely disrupted London hospitals, forcing cancellations of surgeries and blood transfusion services. Although Qilin later published portions of the stolen data on its leak site, Synnovis and its NHS partners maintained their stance against paying a ransom. The company is now informing affected NHS organisations so they can assess any patient impact, while continuing to emphasise the role of Qilin in the attack.

Google Sues to Shut Down Chinese Lighthouse Platform Behind Major US Toll Smishing Scams

Google has filed a federal lawsuit to dismantle the Lighthouse phishing-as-a-service platform, a Chinese-linked operation used to steal credit card data through large-scale smishing attacks. The service supplied phishing templates and infrastructure that impersonated USPS and E-ZPass systems, fueling campaigns that targeted more than one million victims across 120 countries. According to Google, Lighthouse hosted over 100 templates abusing Google’s own branding, while its operators—connected to the threat actor Wang Duo Yu—marketed the kits via Telegram. Attackers used the platform to send fraudulent toll notifications through iMessage and RCS, redirecting victims to fake payment portals designed to harvest personal and financial information. Thousands of typosquatted domains indicate sustained activity through 2025. By suing under racketeering and fraud statutes, Google aims to disrupt Lighthouse’s global smishing network while also supporting new U.S. policy initiatives intended to curb scam operations and foreign cybercrime.

CISA Warns That Akira Ransomware Now Encrypts Nutanix AHV Virtual Machines

CISA and multiple U.S. agencies have issued an updated advisory confirming that Akira ransomware has expanded its attacks to include Nutanix AHV virtual machines. Investigators report that Akira ransomware actors began encrypting Nutanix disk files in June 2025, abusing the SonicWall CVE-2024-40766 flaw to gain access. Unlike its more mature ESXi targeting—where Akira ransomware uses esxcli and vim-cmd to shut down VMs—the Linux encryptor simply encrypts .qcow2 files on Nutanix environments without using acli or ncli. The advisory highlights broader intrusion tactics as well, including the use of stolen VPN and SSH credentials, exploitation of Veeam vulnerabilities (CVE-2023-27532 and CVE-2024-40711), and lateral movement via tools like AnyDesk, LogMeIn, and Impacket. Akira ransomware affiliates have even copied domain controller VMDKs to extract NTDS.dit files. The agencies urge organizations to apply patches, enforce MFA, and maintain offline backups to counter Akira ransomware and related variants.

Kraken Ransomware Benchmarks Systems to Maximize Encryption Efficiency

Kraken ransomware, the successor to the HelloKitty operation, has introduced an unusual feature: it benchmarks each compromised system to determine whether full or partial encryption will cause the most damage without overloading resources. Cisco Talos reports that Kraken ransomware creates a temporary file, encrypts it, measures the speed, and then selects the optimal encryption mode. The gang, which has victims across the U.S., UK, Canada, Denmark, Panama, and Kuwait, typically gains access by exploiting SMB flaws, stealing admin credentials, and using Cloudflared tunnels and SSHFS for exfiltration. Kraken ransomware targets SQL databases, network shares, local drives, and Hyper-V environments on Windows, while its Linux/ESXi variant forcibly terminates VMs before encrypting their disk files. After attacks, a cleanup script wipes logs and traces. Encrypted files receive the .zpsc extension, and ransom notes demand payment—sometimes as high as $1 million.

Conclusion

The surge in ransomware operations, zero-day exploitation, and large-scale phishing campaigns illustrates how quickly today’s threat landscape continues to evolve. From access brokers fueling targeted intrusions to advanced groups like Clop, Qilin, Akira, and Kraken refining their methods, organizations face an escalating combination of data theft, operational disruption, and financial risk. Proactive security, rapid patching, and strong incident-response readiness are essential to staying ahead of these increasingly sophisticated attacks.

As experts in ransomware recovery and cybersecurity, we support organizations through Ransomware Recovery Services, critical Ransomware Negotiation Services, and our strategic Incident Response Retainer. If your organization needs urgent assistance or wants to strengthen its preparedness against modern ransomware threats, contact us today.