Ransomware did not let up in 2025, new threats appeared, familiar operations shifted tactics, and exploitation-driven campaigns continued to turn single points of exposure into enterprise-wide impact. The year reinforced how quickly ransomware groups can scale when initial access is reliable and extortion pressure is consistent. This report summarizes what MOXFIVE observed across ransomware cases in 2025. It focuses on the most active variants, the initial access vectors that most often led to ransomware delivery, and the exploited vulnerabilities that drove distinct activity waves throughout the year.

Leading Ransomware Operations

‍Ransomware activity throughout 2025 was strongly influenced by ransomware-as-a-service (RaaS) operations, where operators provided the infrastructure and extortion framework to affiliate threat actors. Figure 1 shows the top five variants based on U.S. victims published to data leak sites (DLS) in the year. Akira, Qilin, and INC are the leading RaaS operations within this set, while Play and Cl0p appear to operate with a more closed model.

• Akira – Maintained steady activity throughout 2025 and was the most actively deployed ransomware. Operations were commonly supported by credential-based access and remote-access methods.
• Qilin – Continued to be a prominent ransomware-as-a-service offering in 2025, with a commission-based payment structure that remains attractive to affiliates. Activity aligned to a consistent double-extortion model.
• Play – Operated as a more closed group, maintaining tighter control over attacks and limiting broader affiliate-style access. Tradecraft has been associated with custom tooling used for internal discovery and data exfiltration.

Figure 1: Top ransomware variants based on number of known victims.

• INC – Remained a widely adopted double-extortion ransomware family since first being observed in 2023. Activity in 2025 reflected consistent use of data theft and leak-site pressure alongside encryption.
• Cl0p – Continued to focus on large-scale data theft and extortion tied to exploitation of enterprise platforms, with campaigns that can impact hundreds of organizations from a single vulnerability. In 2025, activity was linked to targeting of Cleo managed file transfer products and later exploitation activity affecting Oracle E-Business Suite beginning in August.

Additional insights from MOXFIVE case work include early-year activity tied to RansomHub prior to its infrastructure being taken down in late March to early April. Interlock, first identified by MOXFIVE in September 2024, expanded operations throughout 2025 and demonstrated increased maturity in tradecraft and execution. MOXFIVE was also engaged in several Scattered Spider-linked campaigns throughout the year, consistent with social engineering-led initial access and rapid escalation following compromise. Later in the year, a Telegram channel titled as “Scattered LAPSUS$ Hunters” emerged and reportedly claimed ties spanning Scattered Spider, LAPSUS$, and ShinyHunters, reinforcing that this activity is being framed as an alliance built around shared tradecraft, joint extortion messaging, and a common goal.

Initial Access Trends

Throughout 2025, ransomware campaigns showed consistent tactics, techniques, and procedures used to gain initial access. Based on MOXFIVE observations, remote entry points were the most common access paths, either through authenticated access or direct exploitation. Virtual private network (VPN) access was the most frequently observed starting point, followed by exploitation of internet-facing software or hardware vulnerabilities. Figure 2 breaks down the initial access vectors observed across ransomware cases, including exposed Remote Desktop Protocol (RDP) services, social engineering-driven access, and activity that led users to execute malicious downloads through lures such as phishing.

Figure 2: Initial access trends observed by MOXFIVE.

• VPN – VPN access most often involved authenticated access using valid credentials, including environments where multi-factor authentication (MFA) was not enforced for remote access. Other vectors included exploitation of exposed security flaws or misconfiguration on VPN infrastructure.
• Software/Hardware Vulnerability – Exploitation against internet-facing systems was used to establish an initial foothold, including exposed security flaws or misconfiguration and hardware-based compromise. Activity often targeted edge infrastructure where successful exploitation provides immediate network access and operational disruption.
• Remote Desktop Protocol – Externally accessible RDP services enabled credential-based access, including password spraying, and provided direct interactive access for follow-on activity.
• Malicious Download – Included compromised websites, fake update lures, and phishing emails that redirected users to malicious downloads and execution of initial access malware.
• MSP Managed RMM – Managed service provider (MSP) remote monitoring and management (RMM) tooling was abused to gain administrative access across managed endpoints, creating one-to-many impact across downstream environments. Activity included exploitation of unpatched SimpleHelp deployments and use of legitimate remote access tooling such as ScreenConnect, with MeshAgent observed as a persistence mechanism in some cases.
• Help Desk Social Engineering – IT help desk impersonation was used through voice calls or messaging platforms to build trust and create urgency around a fabricated technical issue. Targets were then directed into access-enabling actions such as password resets, MFA changes, or installation of legitimate remote access tooling.

Notable Exploited Vulnerabilities

The exploitation of vulnerabilities remained a consistent driver of ransomware risk throughout 2025, particularly when flaws affected widely deployed remote access and enterprise application platforms. Organizations stayed exposed through a mix of zero-day exploitation, unpatched or delayed remediation after fixes were available, and repeat exploitation of older issues when upgrades or migrations carried forward insecure configurations. The vulnerabilities below show distinct exploitation waves across the year, with recurring patterns that included unauthenticated access paths and follow-on activity aligned to data theft and extortion.

2026 Ransomware Outlook

Ransomware conditions heading into 2026 continue to favor affiliate-driven operations, with RaaS programs and access brokers sustaining a steady supply of campaigns built on remote access and identity-based entry points. Vulnerability exploitation is likely to remain a primary driver, particularly for edge and enterprise platforms that offer broad reach and high-impact access. Social engineering is expected to stay central for access and privilege escalation, with hdesk impersonation and identity workflow abuse continuing to generate reliable initial footholds. Key trends and emerging threats to track entering 2026 include:

• ShinySp1d3r RaaS developments by the Scattered LAPSUS$ Hunters group.
• New LockBit activity is associated with the LockBit 5.0 variant.
• Warlock ransomware activity attributed to China-based threat actors like Storm-2603.

How MOXFIVE Can Help
‍MOXFIVE supports organizations with control validation, resilience assessments, response playbook development, realistic tabletop exercises, exposure reduction, and backup and recovery testing. Our team aligns preventive, detective, and recovery controls to current ransomware and intrusion trends to strengthen resilience across modern enterprise environments. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.