Full Report
ransomware attacks in October 2025 " data-image-caption="" data-medium-file="https://cyble.com/wp-content/uploads/2025/11/ransomware-attacks-in-October-2025-300x150.webp" data-large-file="https://cyble.com/wp-content/uploads/2025/11/ransomware-attacks-in-October-2025.webp" title="October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield 6"> Ransomware attacks soared to the second-highest total on record in October 2025. October’s 623 ransomware attacks were up more than 30% from September, and below only February 2025’s record totals (chart below). It was the sixth consecutive monthly increase in ransomware attacks. Qilin was the most active ransomware group for the sixth time in the last seven months, its 210 claimed victims, three times higher than second-place Akira (chart below). Also of note is the third-place showing of Sinobi with 69 victims claimed, a rapid ascendance for a group that first emerged in July 2025. We include high-confidence Qilin indicators of compromise (IoCs) from October 2025 in an appendix below. Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most attacked sectors (chart below). In October, 31 incidents potentially impacted critical infrastructure, and 26 incidents had possible supply chain implications. The U.S. was by far the most attacked country once again, its 361 attacks 10 times more than second-place Canada (chart below). Of concern is the emergence of Australia as a top-five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors. Year-to-date, ransomware attacks are up 50% from the first 10 months of 2024 to 5,194 ransomware attacks through October 31, as new leaders like Qilin, Sinobi, and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub. Vulnerabilities Weaponized by Ransomware Groups in October Fueling the increase in both ransomware and supply chain attacks this year has been a steady supply of critical IT vulnerabilities, as well as a large number of unpatched internet-facing assets. Among the vulnerabilities targeted in October were: Oracle E-Business Suite remote SSRF/XSL RCE (CVE-2025-61882) – targeted by Cl0p GoAnywhere MFT deserialization RCE (CVE-2025-10035) – Medusa Microsoft Windows Privilege Escalation Vulnerability (CVE-2021-43226) – Unknown ransomware groups (CISA advisory) Velociraptor Incorrect Default Permissions (CVE-2025-6264) – Warlock ransomware operators Linux kernel’s netfilter :nf_tables module (CVE‑2024‑1086) – Unknown ransomware groups (CISA advisory) Ransomware Attacks and Key Developments Below are some of the most important ransomware developments in October 2025, culled from Cyble and OSINT sources. The Cl0p ransomware group exploited a critical vulnerability (CVE-2025-61882) in Oracle EBusiness Suite versions 12.2.3–12.2.14 to achieve remote code execution (RCE) via a server-side request-forgery (SSRF) that forces the application to fetch and execute a malicious XSL payload. The group sent extortion emails and appears to be leveraging this exploit as an entry point for data theft and ransomware deployment. Medusa ransomware chained an unauthenticated deserialization RCE in GoAnywhere MFT (CVE-2025-10035) to gain initial access, then maintained persistence and remote control by abusing RMM tooling (SimpleHelp and MeshAgent), dropping RMM binaries directly under the GoAnywhere process and creating .jsp web shells in MFT directories. They performed user/system discovery and network scans (e.g., netscan), moved laterally using mstsc.exe (RDP), and used the RMM infrastructure (plus a Cloudflare tunnel) for command and control (C2). Data theft was performed with Rclone in at least one incident, and Medusa ransomware was later deployed in at least one confirmed environment. Ransomware operators are increasingly hijacking or silently installing legitimate remote access tools (AnyDesk, RustDesk, Splashtop, TightVNC, etc.) after credential compromise to gain persistent, stealthy access, using these trusted channels for file transfer, interactive control, antivirus neutralization, and ransomware delivery. Attack paths include credential theft/brute force, modifying existing tool configs or using silent install flags, escalating to SYSTEM, disabling defenses, and propagating the tools to support lateral movement and final encryption. Warlock operators installed an outdated version of the open-source Velociraptor on multiple servers to establish stealthy persistence and remote control, then used it alongside a pre-existing vulnerability (CVE-2025-6264) and GPO modifications to disable defenses. They later deployed Warlock, LockBit and Babuk ransomware variants within the same engagement, while also exfiltrating data and encrypting virtual machine environments. Recent BlackSuit campaigns employed Vishing to steal VPN credentials for initial access and performed DCSync on a domain controller for high-privilege credentials. In addition, the group deployed AnyDesk and a custom RAT for persistence. Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption. The threat actor Vanilla Tempest conducted a campaign that distributed fake Microsoft Teams installers hosted on look-alike domains. The installers used fraudulently signed certificates, delivering the Oyster backdoor and ultimately Rhysida ransomware. Microsoft disrupted the operation in early October by revoking more than 200 certificates. Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing legitimate remote-management tools (WinSCP, Splashtop, AnyDesk, ScreenConnect) and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks. In addition, other affiliates used a staged toolkit (SharpDecryptPwd, Mimikatz, NirSoft utilities) plus a WDigest registry tweak to harvest credentials, and exfiltrate data via abused cloud tools like Cyberduck (multipart uploads to Backblaze). Trigona ransomware operators brute-forced exposed MS-SQL servers, embedding malware inside database tables and exporting it to disk via bcp.exe to install payloads (e.g., AnyDesk, Teramind). The actor also deployed Rust-based RDP/MS-SQL scanners, a Go SQL-injection tester (“StressTester”), and custom delete/replace binaries—an automated, SQL-centric intrusion chain that weaponizes legitimate DB tooling for initial access and payload delivery. On October 9, DragonForce posted on the RAMP forum that it is opening its partner program to the public. New affiliates can register and immediately access a suite of free “partner services,” including professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee; payments accepted in XMR and BTC. The group warned affiliates to follow its rules or face account blocking or free decryptor distribution. On October 18, threat actor Zeta88 — alleged operator of The Gentlemen ransomware — announced on RAMP updates to their Windows, Linux and ESXi lockers, adding automatic self-restart and run-on-boot, a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks/domains using WMI/WMIC, SCHTASKS, SC (Service Control) and PowerShell Remoting. The release also introduced flexible encryption-speed modes, multiple Windows operating modes, and a universal decryptor covering all operating modes. Conclusion The alarming increase in ransomware attacks in October – and the continual investment in upgrades and innovations by ransomware groups – highlights the need for security teams to respond with equal vigilance. Basic cybersecurity best practices that can help protect against a wide range of cyber threats include: Prioritizing vulnerabilities based on risk. Protecting web-facing assets. Segmenting networks and critical assets. Hardening endpoints and infrastructure. Strong access controls, allowing no more access than is required, with frequent verification. A strong source of user identity and authentication, including multi-factor. authentication and biometrics, as well as machine authentication with device compliance and health checks. Encryption of data at rest and in transit. Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. Honeypots that lure attackers to fake assets for early breach detection. Proper configuration of APIs and cloud service connections. Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Appendix: IoCs Associated with Qilin Ransomware Group, October 2025 IoC Type 15E5BF0082FBB1036D39FC279293F0799F2AB5B2B0AF47D9F3C3FDC4AA93DE67 FileHash-SHA256 16F83F056177C4EC24C7E99D01CA9D9D6713BD0497EEEDB777A3FFEFA99C97F0 FileHash-SHA256 331D136101B286C2F7198FD41E5018FCADEF720CA0E74B282C1A44310A792E7F FileHash-SHA256 3DBA9BA8E265FAEFCE024960B69C1F472AB7A898E7C224145740F1886D97119F FileHash-SHA256 454E398869E189874C796133F68A837C9B7F2190B949A8222453884F84CF4A1B FileHash-SHA256 549A1AE688EDFCB2E7A254AC3ADED866B378B2E829F1BB8AF42276B902F475E6 FileHash-SHA256 5F0253F959D65C45A11B7436301EE5A851266614F811C753231D684EB5083782 FileHash-SHA256 5FFF877789223FA9810A365DFDEAFE982C92F346ECD20E003319C3067BECD8BA FileHash-SHA256 E14BA0FB92E16BB7DB3B1EFAC4B13AEE178542C6994543E7535D8EFAA589870C FileHash-SHA256 E38D4140FCE467BFD145A8F6299FC76B8851A62555B5C0F825B9A2200F85017C FileHash-SHA256 E46BDE83B8A3A7492FC79C22B337950FC49843A42020C41C615B24579C0C3251 FileHash-SHA256 F488861F8D3D013C3EEF88983DE8F5F37BB014AE13DC13007B26EBBD559E356E FileHash-SHA256 hxxp://104.164.55.7/231/means.d URL hxxp://185.141.216.127/tr.e URL hxxp://45.221.64.245/mot/ URL hxxps://chatgptitalia[.]net/ URL hxxps://pub-2149a070e76f4ccabd67228f754768dc.r2[.]dev/I-Google-Captcha-Continue-Latest-27-L-1.html URL hxxps://pub-959ff112c2eb41ce8f7b24e38c9b4f94.r2[.]dev/Google-Captcha-Continue-Latest-J-KL-3.html URL 31C3574456573C89D444478772597DB40F075E25C67B8DE39926D2FAA63CA1D8 FileHash-SHA256 The post October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield appeared first on Cyble.
Analysis Summary
# Incident Report: October 2025 Global Ransomware Surge
## Executive Summary
October 2025 saw a massive surge in global ransomware activity, resulting in 623 attacks—the second-highest total on record and a 30% increase from September. Threat actors aggressively weaponized critical, recently disclosed vulnerabilities for initial access. Qilin remained the dominant threat group, while new actors like Sinobi rapidly gained prominence, primarily targeting the US, with critical infrastructure and supply chains being significantly impacted.
## Incident Details
- **Discovery Date:** Data covers the month of October 2025.
- **Incident Date:** Various incidents throughout October 2025.
- **Affected Organization:** Statistics cover 623 distinct ransomware incidents across multiple organizations globally.
- **Sector:** Construction, Professional Services, Healthcare, Manufacturing, IT, and Energy/Utilities were the most attacked.
- **Geography:** The US was the most attacked country (361 attacks), followed by Canada. Australia emerged as a top-five target.
## Timeline of Events
*Note: This timeline aggregates representative attack patterns observed throughout the month, as specific dates for all 623 incidents are not provided.*
| Date/Time | Vector/Activity | Details |
| :--- | :--- | :--- |
| **Throughout October 2025** | **Dominant Activity** | Ransomware attacks increased by over 30% month-over-month, marking the sixth consecutive monthly increase. |
| **Unknown Early October** | **Initial Access (Cl0p)** | Exploitation of **CVE-2025-61882** (Oracle E-Business Suite SSRF/XSL RCE) by Cl0p to gain RCE, followed by data theft and potential ransomware deployment via malicious XSL payloads. |
| **Unknown Early October** | **Initial Access (Medusa)** | Chaining of **CVE-2025-10035** (GoAnywhere MFT RCE) for initial access. Attackers deployed RMM tools (SimpleHelp, MeshAgent) for persistence. |
| **Early October** | **Response Action (Microsoft)** | Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 fraudulently signed certificates used to distribute fake Microsoft Teams installers hosting the Oyster backdoor and Rhysida ransomware. |
| **October 9, 2025** | **Group Development (DragonForce)** | DragonForce opened its public partner program, requiring a $500 fee and offering "partner services" such as hash decryption and support, with strict behavioral rules enforced. |
| **Unknown Mid-October** | **Initial Access (Trigona)** | Brute-forcing of exposed MS-SQL servers, embedding malware in database tables and using `bcp.exe` to retrieve payloads (e.g., AnyDesk). |
| **Unknown Mid-October** | **Lateral Movement (BlackSuit)** | Vishing campaigns used to steal VPN credentials. Achieved domain controller access via DCSync, utilizing AnyDesk and a custom RAT for persistence. |
| **Later October** | **Technique Evolution (The Gentlemen/Zeta88)** | Zeta88 announced updates to its ransomware, adding network self-spreading capabilities via WMI/WMIC, SCHTASKS, and PowerShell Remoting, alongside silent encryption modes. |
| **End of October** | **Overall Assessment** | Year-to-date attacks reached 5,194, a 50% increase from 2024, largely driven by leaders like Qilin and Sinobi replacing former actors like LockBit. |
## Attack Methodology (Aggregated from Specific Group Activities)
| MITRE ATT&CK Phase | Techniques Observed |
| :--- | :--- |
| **Initial Access** | Exploitation of public-facing application vulnerabilities (CVE-2025-61882, CVE-2025-10035), Vishing (VPN credential theft), brute-forcing exposed MS-SQL servers. |
| **Persistence** | Hijacking/installing legitimate RMM tools (AnyDesk, Splashtop, SimpleHelp), abusing RMM infrastructure for C2, deploying Warlock/Velociraptor for stealthy remote control. |
| **Privilege Escalation** | Targeting specific OS vulnerabilities (CVE-2021-43226), achieving SYSTEM level access via RMM abuse. |
| **Defense Evasion** | Disabling defenses using GPO modifications; using CCleaner to wipe forensic traces; employing legitimate tools (AnyDesk) to mask malicious activity. |
| **Credential Access** | DCSync on domain controllers (BlackSuit); leveraging staged toolkits (Mimikatz, NirSoft utilities) with WDigest registry tweaks (Qilin affiliates). |
| **Discovery** | Network scans (`netscan`) and system/user discovery (Medusa); using RDP for internal reconnaissance. |
| **Lateral Movement** | Using mstsc.exe (RDP); deploying Ansible to target ESXi hosts (BlackSuit); utilizing WMI/SCHTASKS for domain-wide self-spreading (The Gentlemen). |
| **Collection** | Data theft using proprietary tools like Rclone. |
| **Exfiltration** | Abusing cloud tools (Cyberduck multipart uploads to Backblaze); using Cloudflare tunnels for C2 and data exfiltration. |
| **Impact** | Deployment of ransomware variants (Warlock, LockBit, Babuk); encryption of hundreds of ESXi VMs after disabling defenses. |
## Impact Assessment
- **Financial:** Not quantified, but the 50% YTD increase suggests significant financial impact across targeted entities.
- **Data Breach:** Data exfiltration was confirmed or suspected in multiple campaigns (Cl0p, Qilin affiliates).
- **Operational:** Major operational disruption was noted, particularly in environments where ESXi hosts were fully encrypted (BlackSuit). 31 incidents potentially impacted critical infrastructure.
- **Reputational:** The rise of disruptive new actors (Sinobi) and the consistent high volume of attacks place general reputational risk high across targeted sectors.
## Indicators of Compromise
*Note: File hashes and IPs are listed as provided in the source material context. In a genuine report, all URLs and IPs would be fully defanged.*
- **Network Indicators (Defanged Examples):**
- hxxp://104[.]164[.]55[.]7/231/means.d
- hxxp://185[.]141[.]216[.]127/tr.e
- hxxp://45[.]221[.]64[.]245/mot/
- hxxps://chatgptitalia[.]net/
- hxxps://pub-2149a070e76f4ccabd67228f754768dc[.]r2[.]dev/[...]
- **File Indicators (Qilin HASH-SHA256 Examples):**
- 15E5BF0082FBB1036D39FC279293F0799F2AB5B2B0AF47D9F3C3FDC4AA93DE67
- 16F83F056177C4EC24C7E99D01CA9D9D6713BD0497EEEDB777A3FFEFA99C97F0
- E46BDE83B8A3A7492FC79C22B337950FC49843A42020C41C615B24579C0C3251
- **Behavioral Indicators:**
- Exploitation of CVE-2025-61882 (Oracle SSRF/XSL RCE).
- Deployment of RMM binaries directly under compromised legitimate application processes.
- Use of legitimate DB tooling (`bcp.exe`, SQL scanners) for initial payload delivery.
- Registry modification (WDigest tweak) for credential harvesting.
## Response Actions
*Response actions described are specific defensive measures taken by victims or external entities (like Microsoft) against specific campaigns, rather than one consolidated organizational response.*
- **Patching/Mitigation:** Immediate patching of published vulnerabilities (e.g., focusing on CVE-2025-61882, CVE-2025-10035, CVE-2025-6264).
- **Certificate Revocation:** Microsoft revoked over 200 certificates used by the Vanilla Tempest threat actor.
- **Defense Hardening:** Groups like The Gentlemen implemented self-propagation and persistence features, requiring defenders to focus on rapidly disabling WMI/Service Control communications.
## Lessons Learned
1. **Vulnerability Velocity is Key:** The rapid increase in attacks correlates directly with the steady supply of critical, newly disclosed vulnerabilities (e.g., Oracle, GoAnywhere). Unpatched internet-facing assets remain a primary entry point.
2. **Living off the Land (LotL) is Standard:** Threat actors now routinely hijack or silently install trusted Remote Management Tools (AnyDesk, Splashtop) for stealthy persistence and C2, bypassing traditional network monitoring.
3. **New Actors are Agile:** Groups like Sinobi achieved rapid ascension, indicating that monitoring emerging threats is crucial, as established groups like LockBit wane.
4. **Supply Chain Risk is Elevated:** 26 incidents across the month had possible supply chain implications, suggesting vendor tooling attacks remain a high-value target.
## Recommendations
1. **Patching Prioritization:** Establish a process to prioritize patching internet-facing assets (especially those with known RCEs) within 72 hours of disclosure, leveraging CISA advisories.
2. **RMM and Tool Monitoring:** Implement strict controls and monitoring on the deployment, configuration, and execution of legitimate remote access tools. Ensure silent installation flags are disabled or flagged by Endpoint Detection and Response (EDR).
3. **Immutable Backups:** Maintain ransomware-resistant backups that are isolated (air-gapped or immutable) to ensure recovery capability despite sophisticated encryption and wiping attempts.
4. **Network Segmentation:** Improve network segmentation to limit the scope of lateral movement achieved through techniques like WMI/WMIC or RDP abuse observed in BlackSuit and The Gentlemen activity.
5. **API and Cloud Security:** Enhance monitoring and auditing for data exfiltration via legitimate cloud upload services (e.g., S3, Backblaze) and complex API interactions.