The statistics listed in the Quarterly Threat Report: Third Quarter, 2025, issued by Beazley Security are eye popping. They include:
- August and September showed a sharp increase in ransomware activity, with those months accounting for 26% and 18% of reported ransomware incidents in the last half year, respectively.
- Akira, Qilin, and INC Ransomware represented 65% of all ransomware cases, demonstrating a significant increase in attack activity by the largest ransomware operators.
- Known Exploited Vulnerabilities tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) fell by 26%, yet attackers executed several high-impact exploitation campaigns.
- Critical vulnerabilities in Cisco and NetScaler remote-access devices increasingly drew attention from attackers.
- Attacks on SonicWall devices by Akira ransomware group accelerated in Q3, followed by a prominent MySonicWall data breach impacting all organizations leveraging the backup cloud service.
According to the report, business services were hit the most, followed by professional services and associations, manufacturing & distribution, healthcare, other, education, government, financial institutions, retail, and construction.
Significantly, the report notes that “the most common entry point was the use of valid, compromised credentials to access VPN infrastructure, which continued to grow in distribution this quarter. This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place.” The next category was the exploitation of internet-facing systems and services. A smaller subset included “search engine optimization (SEO) poisoning attacks and malicious advertisements, observed as a method used for initial access in some Rhysida ransomware investigations. This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors.”
The report notes how effective the SonicWall vulnerability has been for threat actors. It concludes that there is an “overlapping threat to customers using SonicWall’s network appliance product line. Going forward, Beazley Security expects threat actors in possession of the stolen configurations will leverage the compromised backup files to launch future, targeted attacks.”
