Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

A new ransomware-as-a-service (RaaS) group named Vect has emerged, targeting organizations in Brazil and South Africa. The group, which began recruiting affiliates in December 2025, uses custom-built C++ malware with ChaCha20-Poly1305 AEAD encryption and intermittent encryption techniques. Vect operates with a high level of maturity, offering cross-platform ransomware targeting Windows, Linux, and VMware ESXi, and employs strong operational security measures. The group has already claimed two victims and operates a double extortion model. Vect's malware is notable for its speed and disruption capabilities, and the group's infrastructure is exclusively hosted on TOR hidden services. Initial access is likely achieved through exposed RDP/VPN, stolen credentials, phishing, or vulnerability exploitation.

In 2025, ransomware operations evolved significantly, shifting from mere file encryption to sophisticated extortion campaigns that leverage stolen data, legal liability, and psychological pressure. The decentralization of ransomware groups, combined with collaborative tactics, has made attribution and disruption more challenging. Threat actors now target SMBs in high-regulation regions, exploiting regulatory frameworks to amplify the impact of data leaks. The psychological manipulation in ransom notes has become more sophisticated, using tactics such as perceived omniscience, artificial time pressure, and legal fear to coerce victims into paying ransoms.

Ransomware payment rates have dropped to 23% in Q3 2025, a new low. This decline is attributed to improved defenses and increased pressure from authorities not to pay. Ransomware groups are adapting by targeting medium-sized firms and focusing on data exfiltration. The average and median ransom payments also decreased to $377,000 and $140,000, respectively. The shift in payment rates and tactics reflects a broader trend of organizations strengthening their defenses and recognizing the value of investing in cybersecurity rather than paying ransoms. This trend is expected to continue as ransomware groups seek more profitable targets.

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules. The earliest activity connected to the Akira ransomware campaign began in mid-July 2025, with similar malicious VPN logins tracked back to October 2024. The campaign remains active, with attacks consistent since July 2025, showing a slight decrease around the end of August and early September, and picking up pace again around the end of September 2025. A range of SonicWall devices, including NSA and TZ series devices running versions of SonicOS 6 and 7, have been targeted. SonicOS firmware versions 6.5.5.1-6n, 7.0.1-5065, 7.0.1-5119, 7.1.2-7019, 7.1.3-7015, and 7.3.0-7012 are vulnerable, as well as hardware models NSa 2600, NSa 2700, NSa 4650, NSa 5700, TZ370, and TZ470. The campaign may trace back to earlier exploitation of CVE-2024-40766, impacting SonicOS 5, 6, and 7, with credentials stolen from vulnerable firewalls possibly carried forward to newer SonicOS versions. Arctic Wolf Labs observed intrusions affecting devices running SonicOS 7.3.0 and even more recent versions, such as 8.0.2. Arctic Wolf Labs recommends monitoring for VPN logins from untrusted hosting infrastructure, maintaining visibility into internal networks, and monitoring for anomalous SMB activity indicative of Impacket use. In June 2025, Akira ransomware expanded its encryption capabilities to target Nutanix AHV virtual machines, encrypting .qcow2 disk files. Akira threat actors have been observed using utilities such as nltest, AnyDesk, LogMeIn, Impacket's wmiexec.py, and VB scripts for reconnaissance, lateral movement, and persistence. Akira has exfiltrated data in as little as two hours during some attacks. Akira has used tunneling tools such as Ngrok to establish encrypted command-and-control channels. Akira has exploited CVE-2023-27532 and CVE-2024-40711 vulnerabilities on unpatched Veeam Backup & Replication servers to gain access and delete backups. Akira has been observed copying VMDK files from domain controller VMs to extract NTDS.dit files and SYSTEM hives for domain administrator access. Akira ransomware has claimed approximately $244.17m in ransomware proceeds since late September 2025. Akira threat actors have been observed exfiltrating data in just over two hours from initial access in some incidents. Akira ransomware operators have demonstrated a significant evolution in their tactics by encrypting Nutanix AHV virtual machine disk files for the first time in June 2025. Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials, exploiting vulnerabilities, using initial access brokers (IABs), brute-forcing VPN endpoints, and password spraying techniques. Akira threat actors have been observed gaining initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. Akira threat actors leverage Impacket to execute the remote command wmiexec.py. Akira threat actors implement techniques such as uninstalling endpoint detection and response (EDR) systems to evade detection. Akira threat actors create new user accounts and add them to the administrator group to establish a foothold in the environment. Akira ransomware operators use tunneling tools like Ngrok to establish encrypted command-and-control (C2) channels that evade perimeter monitoring. Akira ransomware operators leverage PowerShell and WMIC to disable services and run malicious scripts, enabling deeper system compromise. Akira ransomware operators use sophisticated hybrid encryption schemes to lock data, appending encrypted files with extensions such as .akira, .powerranges, .akiranew, or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). In Q3 2025, Akira, Qilin, and INC Ransomware were the most prolific groups, accounting for 65% of cases. The use of valid credentials to access VPNs was the most common method of initial access, accounting for 48% of breaches. Akira consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies. Beazley tracked 11,775 new CVEs published by NIST in Q3 2025, with 38% more advisories issued regarding zero-day vulnerabilities.