Full Report
This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August
Analysis Summary
# Threat Landscape Updates: July and August Review
This summary outlines the core threat intelligence findings from the Counter Threat Unit’s high-level bimonthly report spanning activities and changes observed during July and August. The primary focus areas were the volatility of the ransomware ecosystem, the continued risk posed by stolen credentials lacking MFA, and the persistent danger of unpatched legacy vulnerabilities.
## Key Points
- **Ransomware Volatility:** Despite law enforcement actions causing disruptions, the volume of ransomware attacks remained high, exceeding levels seen in the same months of 2024.
- **Activity Distribution:** Attacks were more evenly spread across multiple groups, indicating fragmentation and the rise of new or rebranded schemes following disruptions.
- **Credential Theft Impact:** Absent Multi-Factor Authentication (MFA) remains a significant enabler for threat actors exploiting stolen credentials.
- **Cloud Pivot:** Threat actors are increasingly pivoting to cloud and hybrid environments for ransomware activity.
- **Defense Cornerstone:** Prompt patching, phishing-resistant MFA, and comprehensive monitoring remain the essential defenses against the majority of ransomware attacks.
## Threat Actors
- **Prolific Schemes:** Qilin and Akira were noted as the two most active ransomware schemes during July and August 2025 in terms of victim counts.
- **Known Actors:** Scattered Spider and ShinyHunters were mentioned for attracting high media attention, though not necessarily being the most prolific in raw victim numbers for this period.
- **Emerging/Returning Actors:** 37 new ransomware schemes emerged in the first half of 2025, with four more in July and four in August. Several dormant groups also returned to activity.
- **Affiliate Circulation:** New schemes are often formed by displaced affiliates from disrupted operations (e.g., following LockBit disruptions), leading to difficulty in attribution.
## TTPs
- **Ransomware Deployment:** Continued reliance on successful initial access methods leading to high-impact data extortion and encryption.
- **Credential Exploitation:** Exploiting stolen credentials where MFA was not enforced.
- **Cloud Lateral Movement:** Increasingly pivoting operations into cloud and hybrid environments for persistence and attack execution.
## Affected Systems
- **Focus Areas:** Internet-facing devices remain primary targets for initial compromise via patching-related vulnerabilities.
- **Emerging Focus:** Cloud and hybrid environments are becoming increasingly targeted environments.
## Mitigations
- **Patching Cadence:** Implement prompt patching, prioritizing internet-facing devices.
- **Authentication Hardening:** Deploy phishing-resistant Multi-Factor Authentication (MFA) across all potential entry points.
- **Monitoring:** Establish comprehensive monitoring across endpoints and networks.
- **Cloud Security:** Actively monitor cloud and hybrid environments for malicious activity.
## Conclusion
The ransomware landscape is highly dynamic due to law enforcement pressures, resulting in affiliate redeployment and the emergence of numerous smaller schemes. While attribution is harder, the core mitigation strategies—patching, phishing-resistant MFA, and robust monitoring—remain highly effective against the majority of these evolving threats. Organizations must intensify focus on securing cloud infrastructure as threat actors pivot their operations.