The third quarter of 2025 saw a significant increase in ransomware attacks, with an 11% increase in data breach publications compared to the previous quarter. According to a report from Beazley Security, only three ransomware groups were responsible for the majority of cases (65%), with the primary initial entry route being compromised VPN credentials.
Dominant Ransomware Groups
The three most prolific ransomware groups in the third quarter were Akira, Qilin, and INC Ransomware. These groups have demonstrated great operational capacity, contributing to the vast majority of reported incidents.
Initial Access Vectors
The most common way attackers gained initial access was by using valid credentials to access VPNs. This method accounted for 48% of gaps, a notable increase from 38% the previous quarter. The second most popular method was the exploitation of external services, which made up 23% of the cases.
Credential Attacks on SonicWall by the Akira Group
The report highlights the use of credentials in credential stuffing attacks targeting SonicWall SSLVPN services by the Akira group. These attacks take advantage of weak access controls, such as the lack of multi-factor authentication (MFA) and insufficient account lockout policies.
The proliferation of stolen credentials is driven by the underground cybercrime market, fueled by information thieves (infostealers). Despite the disruption of the Lumma Stealer ecosystem by Operation Endgame, the Rhadamanthys variant has emerged to take its place.
Increase in Zero-Day Vulnerabilities
The threat to corporate systems doesn’t just come from credential abuse. In the third quarter, Beazley tracked 11,775 new CVEs published by NIST. Although this figure remained similar to the previous quarter, Beazley Security Labs issued 38% more advisories to its customers about zero-day vulnerabilities.
These vulnerabilities included:
- CVE-2025-53770: “ToolShell” vulnerability in Microsoft SharePoint.
- CVE-2025-54309: CrushFTP.
- CVE-2025-20333 and CVE-2025-20363: Cisco ASA VPN.
- CVE-2025-7775: Citrix NetScaler.
Conclusions and Recommendations
Beazley’s report emphasizes the need for continuous vulnerability management. Organizations should address serious vulnerabilities as quickly as possible, implementing temporary mitigations or blocking network access until critical patches can be applied.
Additionally, organizations should assume that critically vulnerable devices exposed to the Internet may have been compromised and should investigate appropriately. The proliferation of stolen credentials underscores the urgency of adopting comprehensive multi-factor authentication (MFA) and robust conditional access policies.
References
- Zero-Day Vulnerabilities:
- CVE-2025-53770: Microsoft SharePoint “ToolShell”
- CVE-2025-54309: CrushFTP
- CVE-2025-20333 and CVE-2025-20363: Cisco ASA VPN
- CVE-2025-7775: Citrix NetScaler
- Ransomware Groups Mentioned: Akira, Qilin, INC Ransomware.
- Specific Attack: Akira attacks on SonicWall SSLVPN services.
- Infostealer Threats: Rhadamanthys (successor to Lumma Stealer).