Q3 ransomware activity dominated by three groups, stolen VPN credential use

Sixty-five percent of ransomware attacks between July and September have been conducted by the Akira, Qilin, and INC ransomware operations, while leak posts rose by 11% over the previous quarter, Infosecurity Magazine reports.

Hacked VPN credentials have been leveraged to facilitate compromise in 48% of ransomware incidents in the third quarter, making it the most prevalent initial access vector, followed by external service exploits, according to a Beazley Security report. Such targeting of credentials was evident in Akira ransomware's attack campaign against SonicWall SSL VPN devices, which entailed the exploitation of inadequate lookout policies and the absence of multi-factor authentication.

Additional findings showed that while the number of new CVEs posted by the National Institute of Standards and Technology has held steady during the third quarter, zero-day advisories have increased by 38% during the same period.

Most notable of the disclosed zero-days were the Citrix NetScaler, CrushFTP, and Microsoft SharePoint ToolShell bug, tracked as CVE-2025-7775, CVE-2025-54309, and CVE-2025-53770, respectively. Organizations have been advised to adopt MFA and more robust vulnerability management to counter escalating ransomware threats.