Ransomware activity declined throughout April 2025, marking a shift from the elevated levels observed in previous months. This slowdown may be partially attributed to the disappearance of the RansomHub leak site in early April, which disrupted operations for one of the most active ransomware groups seen in Q1. Despite the overall dip, threat actors continued to frequently leverage variants such as Play and Akira.
This report highlights ongoing exploitation of the Windows CLFS privilege escalation vulnerability, as well as the continued targeting of virtual private network (VPN) infrastructure for initial access. Industry insights show consistent targeting of Manufacturing, Professional Services, and Technology organizations, with VPN exploitation featured as this month’s case study. The accompanying Resilience Spotlight outlines key controls to secure remote access pathways and reduce the risk of credential-based attacks.
Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.
Ransomware activity saw a noticeable dip throughout April, with fewer observed cases compared to previous months. One potential contributor to this slowdown was the unexpected disappearance of the RansomHub leak site in early April, which may have disrupted affiliate operations or driven a temporary shift in group activity across the broader threat landscape.
Figure 1: Top ransomware variants based on number of known victims.
For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Akira, Qilin, DragonForce and Lynx.
Manufacturing & Production remained the most impacted industry in April based on observed ransomware leak site activity. The sector continues to face sustained targeting, likely due to its reliance on uninterrupted operations and high sensitivity to downtime.
Professional Services and Technology followed, with both sectors consistently impacted across multiple ransomware variants. These industries often support a wide range of clients and infrastructure, increasing their exposure to opportunistic and targeted attacks.
Construction & Engineering and Healthcare also remained frequent targets, reflecting the broad reach of ransomware operations.
Figure 2: Top industries impacted by ransomware this month.
These rankings are based on observed ransomware data leak
site (DLS) activity for impacted organizations in the United States.
Exploitation as a Primary Initial Access Vector
Throughout 2025, MOXFIVE has observed a significant number of ransomware intrusions originating from compromised virtual private network infrastructure. In many of these cases, multifactor authentication was either absent or inconsistently enforced. Additionally, insufficient monitoring and lack of account lockout mechanisms enabled threat actors to authenticate through brute-forcing credentials without triggering alerts, ultimately enabling unauthorized access.
The most recent trend observed by MOXFIVE involves threat actors deploying Akira and DragonForce ransomware variants to target WatchGuard VPN appliances. These attacks often involve the exploitation of publicly exposed vulnerabilities, particularly in environments where authentication controls are weak or inconsistently applied.
SonicWall VPN appliances have also been affected by recent vulnerability exploitation. The most recent SonicWall exploitation is CVE-2025-32819, an arbitrary file deletion vulnerability in SMA 100 series appliances that may have been exploited as a zero-day prior to disclosure. For more details, see SonicWall’s official advisory.
Black Basta affiliates have been observed using an automated brute-forcing tool known as BRUTED to compromise VPN and firewall credentials at scale. The tool targets a range of remote access services, including SonicWall NetExtender, Cisco AnyConnect, Fortinet SSL VPN, Palo Alto GlobalProtect, Citrix NetScaler, and WatchGuard SSL VPN. A similar publicly available tool is Medusa, a modular, high-speed login brute-force tool that supports parallel authentication attempts across multiple protocols. For more details on BRUTED and its use by Black Basta, see Cerium Networks’ April advisory.
These cases reinforce the need for organizations to treat VPN access as a high-risk entry point and secure it with the same rigor as any internet-facing system.
Strengthening VPN Security Controls
In response to the continued exploitation of VPN services by ransomware operators, organizations should prioritize the following controls to reduce the risk of unauthorized access:
Securing remote access infrastructure remains one of the most effective ways to disrupt common ransomware access pathways and limit exposure to credential-based attacks.
Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.