The Counter Threat Unit™ (CTU) research team analyzes security threats to help organizations protect their systems. Based on observations in July and August, CTU™ researchers identified the following noteworthy issues and changes in the global threat landscape:
- Ransomware remains a volatile threat despite disruptions
- Absent MFA allows exploitation of stolen credentials
- Legacy vulnerabilities maintain their value
Ransomware remains a volatile threat despite disruptions
Law enforcement actions have made an impact on the ransomware ecosystem but have not reduced the number of attacks.
Ransomware continues to pose a major threat to organizations. Even though the number of victims posted to leak sites has declined since reaching an all-time peak in March 2025, the figures in July and August remained higher than in the same months of 2024. Despite the amount of media attention devoted to high-profile ransomware and data extortion attacks by Scattered Spider and ShinyHunters, the two most prolific schemes during July and August were Qilin and Akira. Both schemes have been highly active during 2025 (although the number of victims posted each month is lower than the monthly volume from previous prolific operations like LockBit). Even so, overall, the high number of ransomware attacks in the second and third quarters of 2025 have mostly been more evenly distributed across multiple groups compared to previous years.
Law enforcement actions against major ransomware operators in 2024 and 2025 have caused fragmentation and volatility in the ransomware landscape. Typically, each law enforcement disruption inspires a temporary spike in new group creations. Thirty-seven new schemes appeared in the first half of 2025. Four others emerged in July, followed by another four in August. The sustained high number may be linked to the regular cadence of law enforcement activity targeting LockBit throughout 2024. Several groups that had been considered dormant returned to activity during July and August 2025 too. In total, 52 ransomware schemes were active in August, a monthly volume that has only been surpassed three times in the previous two years.
The new schemes are likely not formed by new cybercriminals. Instead, affiliates who worked with disrupted operations may join or launch a new scheme, either pooling efforts with other displaced affiliates or working independently. New schemes may also be rebrands of older operations. Affiliates may alternatively move to established operations such as Akira that then increase their attack tempo as a result of having more resources. These rebrands and circulation of affiliates across existing or new groups can make kill chains hard to identify and attribution more difficult.
Even though these developments can increase the overall difficulty of monitoring the ransomware ecosystem, they do not greatly change the key defenses against most ransomware attacks: prompt patching, especially of internet-facing devices; phishing-resistant multi-factor authentication (MFA); and comprehensive monitoring of endpoints and networks. In addition, it is becoming increasingly important to monitor cloud and hybrid environments for malicious activity as threat actors pivot to the cloud.
| What You Should Do Next
Monitor government initiatives on advancing cloud security. |
Absent MFA allows exploitation of stolen credentials
Implementing MFA prevents threat actors from profiting from stolen credentials.
CTU researchers have observed multiple incidents where cybercriminals or state-sponsored threat actors obtained initial access to their victim’s environment by abusing VPN credentials. For example, the GOLD LEAPFROG threat group abused VPN credentials in an early 2025 attack that culminated in the deployment of SafePay ransomware.
Unauthorized access of this nature allows threat actors to bypass traditional security measures and gain direct entry into internal systems, even if the appliance is fully patched against known vulnerabilities. Other types of commonly abused access include remote desktop logins or administrative accounts. In other words, methods designed to protect authorized access for remote employees can also give attackers access if the protection is not sufficiently strong.
Threat actors often purchase the credentials on underground marketplaces. Infostealer malware steals credentials and other data from systems that it infects. The stolen data is then packaged into logs and sold online to other threat actors. Millions of logs are available for sale, and the number continues to rise sharply each year. As a result, protecting systems from infostealer infections forms a key part of defending against subsequent ransomware or data extortion attacks.
Threat actors who obtain partial credentials may also try to brute-force access on VPN accounts. If they succeed in gaining access, it is almost always because the VPN does not require MFA to authenticate. MFA alone does not prevent all unauthorized access, but it does reduce the threat of the most opportunistic cybercrime. Implementing phishing-resistant MFA on all internet-facing services and appliances reduces risk levels even further. This type of MFA uses hardware-backed methods to prevent token theft.
 |
What You Should Do Next
Review guidance published by U.S. Cybersecurity and Infrastructure Security Agency (CISA) on |
Legacy vulnerabilities maintain their value
Even if a vulnerability is years old, it’s rarely too late to patch.
In August, the Federal Bureau of Investigation (FBI) warned that Russian state-sponsored threat actors linked to the Russian Federal Security Service’s (FSB) Center 16 were conducting cyberespionage attacks against U.S. and other entities by actively targeting Cisco devices unpatched against a vulnerability from 2018. CTU researchers observed similar activity by Russian state-sponsored threat actors in 2023.
The FBI was also one of multiple agencies in the U.S. and beyond to issue a warning about Chinese state-sponsored threat actors compromising networks worldwide for espionage purposes. The part of the document that covered how the attackers gained initial access states that “they are having considerable success exploiting publicly known common vulnerabilities” rather than previously unknown zero-day vulnerabilities. The document lists the Cisco vulnerability from 2018, as well as others from 2023 and 2024 that affect edge devices.
Organizations may not patch promptly for many reasons. Budgetary restrictions and limited personnel are just two factors that can impact a patching program. Staff may lack awareness of the vulnerability or not realize that impacted equipment is in use. Some patches may require additional evaluation or need to be replaced with workarounds to avoid potential impact to other business-critical operations. In some cases, equipment is so old that vendors no longer publish security updates. Nonetheless, unpatched edge devices put organizations at risk. During incident response engagements that CTU researchers observed in 2024, vulnerabilities in internet-facing devices were the most common initial access vectors.
The risk posed by unpatched devices is not going to decline. It is already easy to use freely available scanning systems and publicly available exploit code to find and exploit vulnerable systems, and it is feasible that AI might automate this further. Prompt patching according to business risk calculations or replacement of end-of-life systems remain more important than ever.
|
What You Should Do Next
Monitor government and vendor advisories and other threat intelligence sources about threat actor |
Conclusion
Despite changes in threat group composition and increases in attack numbers, some aspects of the cyber threat remain the same. Cybercriminals and state-sponsored threat actors continue to take advantage of easy access to organizations’ environments. Fortunately, the basics of good cyber defense also remain constant: prompt patching, phishing-resistant MFA, and comprehensive monitoring and response.
