Q3 2025 ransomware cases shift toward compromised VPN credentials
Target Trend
Summary
Hide ▲
Show ▼
Ransomware surged in Q3 2025, and compromised VPN credentials became the most common initial-access route, increasing exposure across remote-access environments. Three groups accounted for 65% of cases, showing that activity was concentrated even as the overall problem broadened. The share of breaches using valid credentials reached 48%, up from 38% in the prior quarter, underscoring a sharp rise in credential abuse. External service exploits remained a major secondary path at 23% of cases.
Related Happenings
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
Vulnerability
First: 21.05.2026 00:19
Last: 21.05.2026 00:19
Sources 1
About this happening:
Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
SonicWall Gen6 SSL-VPN MFA-bypass flaw (CVE-2024-12802)
VulnerabilityAbout this happening: Researchers confirmed **first-in-the-wild exploitation** of **CVE-2024-12802** against **SonicWall Gen6 SSL-VPN appliances**, showing that incomplete remediation can leave **MFA b...
Pay2Key ransomware campaign accelerated by US-Iran tensions
Campaign
First: 26.03.2026 12:45
Last: 26.03.2026 12:45
Sources 1
About this happening:
Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
Pay2Key ransomware campaign accelerated by US-Iran tensions
CampaignAbout this happening: Pay2Key's ransomware operation appears to have accelerated amid **recent US-Iran tensions**, indicating an active campaign with broader victimization risk. The group has been acti...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Qilin, Akira and Sinobi late-2025 ransomware wave
Campaign
First: 29.01.2026 15:01
Last: 29.01.2026 15:01
Sources 1
About this happening:
A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Qilin, Akira and Sinobi late-2025 ransomware wave
CampaignAbout this happening: A **late-2025 ransomware wave** led by **Qilin**, **Akira** and **Sinobi** increased pressure on **organizations** as operators prioritized **fast access and execution** to evade...
Ransomware leak-site postings surged across victim organizations in Q4 2025
Target Trend
First: 29.01.2026 15:01
Last: 29.01.2026 15:01
Sources 1
About this happening:
In **Q4 2025**, ransomware leak-site postings for **victim organizations** rose sharply, signaling stronger extortion pressure across affected targets. Postings were **up 50% quar...
Ransomware leak-site postings surged across victim organizations in Q4 2025
Target TrendAbout this happening: In **Q4 2025**, ransomware leak-site postings for **victim organizations** rose sharply, signaling stronger extortion pressure across affected targets. Postings were **up 50% quar...
Timeline
-
19.11.2025 11:40 2 articles · 6mo ago
Q3 2025 ransomware shifts toward compromised VPN credentials
Initial DisclosureQ3 2025 ransomware activity was dominated by Akira, Qilin and INC Ransomware, which accounted for 65% of cases. Compromised VPN credentials and valid credential abuse were the most common initial-access paths, with valid credentials used in 48% of breaches, up from 38% in Q2, while external service exploits accounted for 23% of cases. Akira was linked to a prolonged campaign against SonicWall security appliances using credential stuffing against SonicWall SSLVPN services, exploiting absent MFA and insufficient lockout policies. The same analysis noted 11,775 new CVEs published by NIST in Q3 and 38% more zero-day advisories, and urged comprehensive multi-factor authentication (MFA), conditional access policies, temporary mitigations, and locked-down network access for internet-exposed vulnerable devices.
Show sources
- Half of Ransomware Access Due to Hijacked VPN Credentials — www.infosecurity-magazine.com — 19.11.2025 11:40
- Half of Ransomware Access Due to Hijacked VPN Credentials — www.infosecurity-magazine.com — 19.11.2025 11:40