Q3 2025 ransomware cases shift toward compromised VPN credentials
Trend
Summary
Hide ▲
Show ▼
Ransomware surged in Q3 2025, and compromised VPN credentials became the most common initial-access route, increasing exposure across remote-access environments. Three groups accounted for 65% of cases, showing that activity was concentrated even as the overall problem broadened. The share of breaches using valid credentials reached 48%, up from 38% in the prior quarter, underscoring a sharp rise in credential abuse. External service exploits remained a major secondary path at 23% of cases.
Related Happenings
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
Vulnerability
H score47
First: 08.06.2026 16:05
Last: 08.06.2026 16:05
Sources 1
About this happening:
**Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
VulnerabilityAbout this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
H score50
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
H score50
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware campaign accelerated by US-Iran tensions
CampaignAbout this happening: Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
H score25
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Qilin, Akira and Sinobi late-2025 ransomware wave
Campaign
H score39
First: 29.01.2026 15:01
Last: 29.01.2026 15:01
Sources 1
About this happening:
A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Qilin, Akira and Sinobi late-2025 ransomware wave
CampaignAbout this happening: A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Timeline
-
19.11.2025 11:40 2 articles · 7mo ago
Q3 2025 ransomware shifts toward compromised VPN credentials
Initial DisclosureQ3 2025 ransomware activity was dominated by Akira, Qilin and INC Ransomware, which accounted for 65% of cases. Compromised VPN credentials and valid credential abuse were the most common initial-access paths, with valid credentials used in 48% of breaches, up from 38% in Q2, while external service exploits accounted for 23% of cases. Akira was linked to a prolonged campaign against SonicWall security appliances using credential stuffing against SonicWall SSLVPN services, exploiting absent MFA and insufficient lockout policies. The same analysis noted 11,775 new CVEs published by NIST in Q3 and 38% more zero-day advisories, and urged comprehensive multi-factor authentication (MFA), conditional access policies, temporary mitigations, and locked-down network access for internet-exposed vulnerable devices.
Show sources
- Half of Ransomware Access Due to Hijacked VPN Credentials — www.infosecurity-magazine.com — 19.11.2025 11:40
- Half of Ransomware Access Due to Hijacked VPN Credentials — www.infosecurity-magazine.com — 19.11.2025 11:40