The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Introduction

Ransomware activity in Q2 of 2025 showed a significant decline compared to the previous quarter. We observed a total of 1488 successful ransomware attacks between April 1st and June 30th, compared to the 2461 we observed in Q1. This represents a 40% decline in activity. Despite the reduction, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 87 minutes during Q2.

We observed a total of 75 ransomware groups operating within Q2, up from 74 in Q1. There appears to have been a focus on sectors with sensitivity to operational disruption this quarter – healthcare, manufacturing being two of the top three industries hit – along with education, government and energy all showing growth as well, to a smaller degree.

Qilin is the threat actor with the most successful ransomware attacks this quarter – with 176 total, followed by Akira with 139 and Play with 124. Qilin was most active within the healthcare industry and technology sectors.

While Cl0p was extremely active last quarter, they have not been as active recently – this may be due to them still working through the backlog of victims from exploting Cleo Harmony back in February.

Lockbit Updates

In recent months, two major ransomware groups were quietly hacked, and both attacks featured the same message: “Don’t do crime, xoxo from Prague.” No one has come forward to take responsibility.

In April, the Everest groups leak site was defaced, and then in May Lockbits affiliate panel was also updated with the odd message. The lockbit breach also leaked internal data and crypto wallet addresses.

Theories are circulating that it may have been a rival gang or law enforcement, however no one has officially taken credit for either attacks, which are very likely by the same individual (or group!).

HealthCare

Between April 1 and June 30, 2025, the healthcare sector experienced 95 ransomware attacks, making it the third most targeted industry during this period, following Manufacturing and Tech at 157 and 136 respectively.

Across the broader ransomware landscape, a healthcare organization is now hit with a successful attack roughly every 22 hours. Groups like Qilin and others continue to exploit healthcare’s operational urgency pressuring victims to pay quickly to avoid disruptions to patient care or data exposure.

The impact of each incident tends to be disproportionately high compared to other industries; leading to care delays, system outages, and regulatory complications.

Qilin:

Qilin have been the most prolific group this quarter, primarily targeting high-impact and operationally critical industries.

Manufacturing led all sectors, followed by Technology and Healthcare, reflecting Qilin’s focus on data-sensitive and disruption-prone environments. Transportation/Logistics and Education were also notable targets.

A full breakdown of their operational target industries can be seen in the full report.

Qilin have demonstrated consistent growth throughout the first half of 2025, with attack volumes rising steadily each month. Starting with a relatively low number of incidents in January, activity nearly doubled by February and remained stable through March and April. A sharp increase followed in May, and June marked the group’s most active month to date, with over 75 recorded attacks.

The vulnerabilities we have observed the group using are as follows:

• CVE-2023-4966 aka CitrixBleed
• CVE-2023-27532 in Veeam Backup Credential Access
• CVE-2025-31161, an authentication bypass in CrushFTP
• CVE-2025-31324 in SAP NetWeaver (which interestingly was exploited at least 3 weeks before public disclosure – showing that the group had early access to a 0day).
• CVE-2025-32756 which allows unauthenticated RCE in several Fortinet products.

The full list of exploited vulnerabilities is also available in the report, along with a breakdown of their currently active infrastructure.

Q2 Conclusion

The second quarter of 2025 marked a complex and transitional period in the ransomware landscape. While overall attack volume declined significantly, threat activity remained widespread, with critical sectors such as healthcare, government, and education continuing to face sustained pressure. Despite the slowdown in raw

numbers, the frequency of attacks and the strategic focus of top ransomware groups indicate that the threat remains both adaptive and persistent.

Qilin emerged as the most active ransomware group this quarter, steadily increasing its operations and overtaking previously dominant group such as Cl0p. Their consistent targeting of high-impact industries, exploitation of newly disclosed vulnerabilities, and technical adaptability demonstrate a clear evolution in capability and reach. At the same time, the temporary absence of Cl0p from top rankings despite its history of impactful, exploit-driven campaigns highlights the cyclical and opportunistic nature of ransomware group activity.

Sectors like healthcare continue to experience frequent and damaging incidents, underscoring the need for targeted resilience strategies. Meanwhile, the recent breaches of ransomware infrastructure such as the defacements of Everest and LockBit hint that threat actors themselves are not immune to disruption, though the sources of these countermeasures remain unknown.

In summary, Q2 2025 presented fewer attacks overall, but increased complexity in attacker behavior, tooling, and targeting. Organizations must remain proactive, adaptable, and intelligence-driven in their defensive strategies as ransomware continues to evolve.

Read the full report.

The post Ransomware Research Report | Q2 2025 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware

Ransomware activity continues to climb in the first quarter of 2025, with 2461 attacks carried out by 74 active groups. This is a 4% increase over last quarter, which was the previous period with the highest volume of attacks on record.

At the forefront of this quarter is Cl0p, which was responsible for 398 attacks, roughly 16% of the total. Cl0p achieved this by chaining two vulnerabilities together in Cleo Harmoney and VLTrader for a huge impact. These vulnerabilities are listed under

• CVE-2024-50623
• CVE-2024-55956

This campaign peaked in February with 331 attacks, the highest monthly total ever recorded by a single group.

Other top actors included RansomHub, Akira, Babuk2, and Qilin. Surprisingly, Lockbit, once a dominant force, dropped to 24th place with only 23 attacks. Exploitation of unpatched systems continues to be a favored technique for initial access among ransomware groups.

BlackBasta

In February 2025, a major leak of internal chat logs exposed the inner workings of the BlackBasta ransomware group. The leak discusses their target preferences, tactics, and tools.

Target Selection

Black Basta prioritized organizations with low tolerance for downtime, including healthcare, financial services, and critical infrastructure. These sectors were targeted strategically, given the high stakes and pressure to restore operations quickly, factors that increase the chance of ransom payments.

Exploitation Tactics

The group typically exploited known vulnerabilities rather than expensive zero-days. However, they did purchase at least one high-value exploit for use against CVE-2024-26169, used for privilege escalation on Windows systems. Microsoft patched it in March 2024, but evidence suggests Black Basta had access prior to its public disclosure, dating back as early as December 2023.

Tools and Techniques

Two tool variants linked to the group were uncovered by Symantec. One, compiled in December 2023, is publicly available on VirusTotal. The second, from February 2024, appears to have been privately tested. The leak also confirmed extensive credential harvesting operations—key to initial access and lateral movement. A link to the VirusTotal analysis is available in the full report.

Underground Forum

Logs indicate the group actively used platforms like exploit.in to acquire or trade vulnerabilities.

Conclusion

This leak gives us a behind-the-scenes look at a major ransomware group. It highlights the groups clear focus on exploiting vulnerabilities in critical sectors and leveraging credential harvesting to facilitate their attacks. As always, proactive patching, credential protection, and a hardened defense strategy are needed to stay ahead of these tactics, especially for organizations in critical sectors.

Bybit

In February 2025, the Bybit cryptocurrency exchange suffered one of the largest crypto thefts to date—400,000 ETH, worth $1.5 billion. The attack has been attributed to the Lazarus Group, a North Korean state-sponsored threat actor known for targeting digital assets.

Lazarus exploited Safe{Wallet}, a third-party multi-signature wallet platform designed to enhance transaction security. The attackers compromised a developer’s workstation at Safe{Wallet}, injecting malicious JavaScript into its frontend interface.

This clever move allowed them to disguise an unauthorized transfer as a legitimate transaction. Exploiting user behavior—specifically the tendency to rapidly click through approval prompts—they bypassed the multi-signature protection and triggered a massive transfer from Bybit’s cold wallet without raising alarms.

Once the theft was complete, Lazarus laundered the stolen ETH through multiple intermediary wallets, swapping tokens and using cross-network services to obscure the funds’ origins. The stolen assets currently sit dormant across multiple wallets.

The big takeaway here is that even the most secure systems can be undermined by third-party vulnerabilities and user complacency.

Chainalysis

In 2024, ransomware attacks reached record levels, especially in the fourth quarter. But in a surprising twist, ransomware payments actually fell. According to Chainalysis, victims paid $813 million in crypto, down 35% from $1.25 billion in 2023.

This unexpected decline comes as Q4 2024 marked the most active quarter ever for ransomware. The drop in payouts signals a shift in how organizations are responding to these threats.

So, what are the reasons for this decline?

First, companies are improving their cybersecurity, with stronger defenses and better backups, so that many can now recover without paying.

Second, regulatory pressure is rising. Governments are discouraging ransom payments to avoid fueling criminal activity.

And third, there’s greater awareness. Organizations now better understand the long-term consequences of paying ransoms, encouraging repeat attacks.

Add to that a global law enforcement crackdown—seizing crypto, arresting operators, and dismantling gangs—and the result is a ransomware ecosystem that’s getting harder to profit from. However, with ransomware numbers continuing to climb it also suggests that while payment volumes have decreased, the overall threat of ransomware continues to grow.

Oracle Health

In early 2025, Oracle Health, formerly known as Cerner, suffered a major data breach affecting multiple U.S. hospitals and healthcare providers. The breach stemmed from unauthorized access to legacy data migration servers using compromised customer credentials, with activity traced back to late January.

Sensitive patient data from electronic health records was exfiltrated, though the full scope remains unclear. Oracle Health discovered the breach in February and began notifying affected clients in March.

Adding to the complexity, an individual calling themselves “Andrew” has attempted to extort healthcare providers, threatening to release the stolen data. “Andrew” isn’t linked to any known ransomware group, suggesting a possible lone actor or emerging threat.

This breach highlights two critical vulnerabilities: outdated legacy systems and inadequate credential protections.

Q1 Conclusion

Security teams must prioritize patch management and ensure that critical vulnerabilities are addressed promptly. Organizations should also emphasize credential protection, implementing multi-factor authentication (MFA) and monitoring for compromised accounts.

The post Ransomware Research Report | Q1 2025 – Audio Blog Interview appeared first on CyberMaxx.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q4’s research here.

Video Transcript

Intro

This is the ransomware report for Q4 2024. I’m Connor Jackson, Security Research Manager at CyberMaxx. Let’s get into it.

Ransomware

Ransomware and data extortion attacks continue to rise month over month. This quarter saw the highest spike in attacks that we have observed on record. Q4 had 4568 successful attacks, which means that there were almost as many attacks in the final 90 days of Q4 as there were in all of 2023 at 95% volume.

For comparison, this same timeframe in 2023 (October 1st to December 31st) had 1218 attacks. Making this a 275% increase over the same 90-day timeframe in 12 months.
2024 finished the year with 7041 attacks – the highest on record.
The highest number of successful attacks occurred in November, with the highest spike on November 18th. Leading up to this date we observed five CVEs being actively exploited in the wild, which may have contributed to this figure. The full details are in the downloadable report.

Another notable spike was on December 24th, when 80 successful attacks were witnessed. Threat actors know that security teams are finishing up for the year, taking unused PTO, and generally being slower to respond than other times in the year, and they capitalize on this, giving them an improved success rate of actions on objectives.
The most prominent group of the year was Ransomhub with 612 attacks, followed by Lockbit with 538, despite the continued takedowns. Ransomhub offer a 90% split with affiliates, making their ransomware as a service platform attractive for groups to work with.

Cloud

Threat actors continue to follow the industry adoption of cloud. We observed a 39% increase of attacks against cloud infrastructure over 2023, making this a growing initial access vector. Attacks were mainly targeted against identity management and exploiting misconfigurations in cloud infrastructure.

Notable Events

Other notable events this year include the Crowdstrike Outage, Operation Cronos takedown of Lockbit, OpenAI released report on how threat actors are using ChatGPT, and the Health Infrastructure Security and Accountability act was proposed in the US. Several of these are detailed in this quarters report.

Conclusion

2024 has been the both the year with the most attacks overall, as well as the year with the largest number of attacks in one quarter, rivalling the previous years in just 90 days. The spike in November can be attributed to several zero-days that were exploited in-the-wild, showing the need for a responsive patching process to avoid exploitation by opportunistic threat actors.

Attackers continue to follow the industry into the cloud, making this a common attack vector. Q4 saw a total of 66 active groups, 2 more than Q3s 64 and 20 more than Q4 in 2023. A growing number of attacks combined with an increased number of groups typically indicates increased success rates of successful exploitation. IBMs “cost of a data breach” shows that the average cost is now 4.8 million dollars US, making successful attacks both more common and more expensive than previous years.

Download the full report

The post Ransomware Research Report | Q4 2024 – Audio Blog Interview appeared first on CyberMaxx.

Aaron Shaha, CISO at CyberMaxx, joins Dark Reading’s Terry Sweeney at News Desk during the RSA Conference to discuss what an “offense that fuels defense” strategy entails.

This 7-minute interview covers the following topics:

• What’s keeping him up at night
• Unique approach to offense fuels defense
• Perspective on AI and threat hunting
• Security culture within organizations

Watch on Dark Reading
Watch on CyberMaxx’s YouTube

Aaron Shaha, CISO at CyberMaxx is a Strategic Information Security Executive and subject matter expert with a record of pioneering cybersecurity trends by developing novel security tools and techniques that align with corporate objectives. Known for building and leading strong teams that provide technology-enabled business solutions for start-ups, industry leaders (Deloitte and its Fortune clients), and government agencies (NSA). Skilled at developing information security strategies and standards, leading threat detection and incident response teams to mitigate risk, and communicating effectively across all levels of an organization.

The post Dark Reading Interview at RSAC 2024: CyberMaxx Plays Offense with User, Data Protection appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q3’s research here.

Video Transcript

I’m Connor Jackson, Manager of Security Research here at Cybermaxx.

Q3 of 2023 has been a big one. The MGM attack, ALFI, the number of spike and threat actor activity, CLOP, DarkGate, a lot has happened this quarter.

The Recent Attacks

The recent MGM attack has been claimed by two separate threat actors. It’s still unclear if they were working together to coordinate this attack or operating individually.

CLOP are still working through the backlog of victims from the mass exploitation of progress software’s movement vulnerability, which occurred earlier this year.

The number of orgs hit has now risen over 2000 and approximately 62 million individuals have been affected due to leaked data as a result of this. Ransomware attacks for Q3, which is July first to September 30th, are now up 59% over Q2, which is double what we saw in Q1.

This brings the total number of successful attacks this quarter to 1826 with 28% of these attacks all stemming from the same group, ALFI.

An existing Malware strain has adopted a Malware as a service model. This has resolved in its use skyrocketing in recent weeks.

Darkgate is a Malware that can be used to infect the system with various utilities, info stealers, follow on payloads, etc.

We have a Breakdown and Analysis

We have a breakdown and analysis of this strain with the multiple ways that we’ve seen infections for our sand.

Also included with the ransomware report for Q3 is a series of Sensor one and Crowdstrike EDR queries, and these can be used to help detect this threat early on in the attack chain, which you can use in your own environments.

The Sharp Rise activity appears to be stemming from four main groups. Those groups are ALFI, CLOP, Locket, and 8base.

All of these threat groups can be classified as opportunistic and have been observed rapidly weaponized and vulnerabilities to complete their objectives.

We mentioned last quarter that we expected to see 8base continue to be a threat within the industry. Q2 saw 107 successful attacks, and in Q3 we saw 92, placing them in at number four when ranked by a volume of activity.

The Key Takeaways

The key takeaways this quarter are that supply chain attacks continue to be a lucrative attack factor, and they’re still being used to target large organizations as we saw with MGM.

Malware as a service is continuing to rise in popularity, leading to things like Darkgate, and activity in line with this should be monitored for over the coming weeks and months.

You can use our EDR queries to help detect this.

The post Ransomware Research Report | Q3 2023 – Audio Blog Interview appeared first on CyberMaxx.

Video Transcript

Hi, I’m Darren. I’m a penetration tester at Cybermaxx.

BSides Event: Basingstoke, UK

So earlier this month I went to a BSides event in a city called Basingstoke in the United Kingdom it’s in the South of England, sort of nearish London. There was quite a variety of talks on during the day, one of which was me presenting about vulnerabilities in the Cisco ATA devices, the SPA series.

There was also talks about the Cl0P ransomware gang and about using convolutional neural networks for detecting network traffic of malware. There was also other things, for example the ministry defenses DSTL brought with them an original Enigma machine from World War Two, which was pretty cool to look at.

Another company had brought a basically the internals of a cockpit of an airplane that you could use as a flight simulator.

And of course there was the lock picking village and other hacker things going on.

Cisco APA/ATA Device Vulnerabilities Discussion

So I was giving a presentation on some unpatchable vulnerabilities in end of life Cisco products, the Cisco ATA devices, the specifically the SPA series and some other series of devices. These are a small unit that live on your desk and they allow you to connect an old school analog phone and use it as a soft phone like a VoIP phone for modern Teleconferencing.

What I was talking about was Cisco had released an advisory with some vulnerabilities have been discovered in these devices and because these devices were out of support they would not be patched.

Cisco’s solution was to tell you to buy a newer device and throw out the old ones. There was no public exploit at the time of the advisory. So, I spent some time reverse engineering the firmware, writing my own exploit for it to see what the risk of this you know what this advisory resulted in and I found that the risks were pretty severe the outcome the utility to an attacker was quite high.

So I presented on how I rediscovered the vulnerability, how like, how bad the impact is, what I could do with it and also found that other devices not mentioned in the original advisory were also impacted.

Cisco Vulnerabilities: What risks does this pose?

So, the risk here is that for companies, these devices, they’re somewhat inexpensive, like they’re about 150 bucks each, but you’ve got one on like every user’s desk and some offices have been in and each one of those devices you can persistently install malware on it using this vulnerability that allows remote access to the network.

So, the risk for companies is unless they got rid of these devices or somehow mitigated the issue by other means, they have all these potential entry points just there on everyone’s desk that would allow a hacker to effectively live forever inside the company’s network, and without replacing these devices that risk doesn’t go away. There’s no patch, you know you have to replace it.

So it’s quite an expensive problem for a company to solve. They would have to do like wholesale replacing of these devices with newer models which may also go out of support in the future

Other Cool Exhibits: Original Enigma Machine and More!

So one of the coolest things I saw was the DSTL, they’re a branch of the Ministry of Defense, they brought one of the Original 4 rotor Enigma cipher machines that the Germans used during the Second World War to encrypt their messages that they’d send out to submarines, etcetera.

So they had this thing that they had seized, you know back at the end of World War Two from the Germans and they kept it for research and whatnot and they brought it with them and it was really cool to see they had like schematics of it. They even let it, you know, they even took off the lid of it, let us look inside. You could basically play with it a little bit, within reason. It is a historical artifact after all.

But it was cool because relatively nearby, like maybe a couple of hours drive away, is Bletchley Park, where they famously did the industrial scale decryption of the Enigma machine and some of the first computers effectively were invented. This is a really neat piece of you know Security history.

The post BSides Event Featuring APA/ATA Vulnerabilities – Audio Blog appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Welcome to the second installment of the quarterly Ransomware report from CyberMaxx. This time we’re looking at data from April 1st and June 30th, 2023.

Here’s What We’re Seeing

Ransomware attacks are up significantly this quarter, up a total of 26% in volume over Q1, totaling in at 1147 attacks in Q2. Lockbit again our number one threat group with 246 of these attacks, or a little bit over 21% of the total volume.

Cl0p have weaponized the latest vulnerability in MOVEit, deploying ransomware on mass. They exploited hundreds of vulnerable machines running the affected versions, which ultimately affected over 200 individual organizations. The volume of affected organizations was so great, in fact, that the group actually had to stop reaching out to individuals and instead direct everyone to the release page for further instructions.

Cl0p is still working through this backlog of their affected orgs, so not all attacks have been taken credit for which are included in this report. Although it does appear to be widespread, affecting organizations like the BBC, the Discovery Channel and the US Department of Energy.

Predictions

We are seeing groups continue to be opportunistic and make use of vulnerabilities to scale their operations. Ransomware activity is often closely aligned with vulnerability discovery, whether publicly disclosed or purchased on markets. This then has a direct correlation with the number of attacks that we observe in the wild, which affects organizations either directly or further downstream in the event of an attack on their supply chain.

Based on this, we do expect to see a similar number of attacks in Q3, somewhere around 1000 successful attacks again. Although this may increase if additional critical vulnerabilities in popular software are also brought to light, similar to MOVEit.

Cl0p is still working through their backlog, so they will likely have a large number of attacks attributed to them, again potentially larger than they have had this quarter.

To get the full depth of insights, download the Q2 Ransomware Research Report today.

The post Ransomware Research Report | Q2 2023 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Video Transcript

Hi, everyone. I’m Connor. I’m the security research manager here at CyberMaxx and the author of this quarterly report.

We believe that by sharing the intelligence available to us within the broader community, other organizations can also stay ahead of the same threats that we’re all facing.

Why We’re Doing This

This report is a summary of all the activity within the ransomware industry over the past quarter. It also provides trend analysis on a regular frequency, which allows us to identify changes within the ransomware vertical.

For example, the numbers we observed last quarter 1,030 successful attacks, and in this quarter 909. So that’s less total activity, but the big names have had a noticeable increase in their efforts.

What We Do at CyberMaxx

We track multiple ransomware groups, and we log all their activity, their attacks, and the organizations they’ve successfully attacked when they did it, and then we provide that data for you every quarter in this report.

We Aren’t Making This Up

The raw data that we use for these reports will also be released alongside the report itself. The purpose of that is basically just to allow other teams to do their own work using the same data set that we use. That way, we can see what conclusions they can come up with on their own, or they can identify.

How is this Data Useful?

Looking at this data, we can identify new trends that start to emerge. For example, we might see new groups emerge onto the scene. Take Royal, who made headlines last year. They’re largely rumored to have several members from the now-absolved Conte Group. And that would also explain how they were able to make such a big impact out of seemingly nowhere, which also, in turn, shed some light on what tactics they’re using, particularly for such a new group.

Identifying inactive groups and their TTPs also helps us to ensure that we have appropriate coverage against their operations. We’re being proactive instead of reactive here. This feeds into our threat hunt program as well, so that we can start to our client base for any indicators found for this intelligence.

Summary

We see Lockbit take the top position yet again. We talk about the 3CX supply chain attacks. And we provide a sample SentinelOne EDR detection for that. We also discuss a common evasion tactic that we’re seeing across all groups, whereby they’re evading existing security measures. In this case, we’re talking about measures to bypass Mark of the Web protections within their initial access efforts.

There’s a link to a full technical breakdown in the report if anyone is interested, and we do a deep dive into how that works.

Plans for the Future

This report will be released every quarter along with the accompanying data set showing trends compared to previous quarters. We’re also providing measures and information to help defend against these real-world threats that we’re seeing.

The post Ransomware Research Report | Q1 2023 – Audio Blog Interview appeared first on CyberMaxx.