MOXFIVE Monthly Insights - April 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

April Highlights

Ransomware activity declined throughout April 2025, marking a shift from the elevated levels observed in previous months. This slowdown may be partially attributed to the disappearance of the RansomHub leak site in early April, which disrupted operations for one of the most active ransomware groups seen in Q1. Despite the overall dip, threat actors continued to frequently leverage variants such as Play and Akira.

This report highlights ongoing exploitation of the Windows CLFS privilege escalation vulnerability, as well as the continued targeting of virtual private network (VPN) infrastructure for initial access. Industry insights show consistent targeting of Manufacturing, Professional Services, and Technology organizations, with VPN exploitation featured as this month’s case study. The accompanying Resilience Spotlight outlines key controls to secure remote access pathways and reduce the risk of credential-based attacks.

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• Windows CLFS Privilege Escalation Vulnerability (CVE-2025-29824): This zero-day vulnerability in the Windows Common Log File System (CLFS), originally disclosed in March, continued to be exploited by ransomware operators throughout April. The flaw allows attackers to escalate privileges to SYSTEM and has been linked to campaigns involving threat actors leveraging Play ransomware. Microsoft issued a patch in early April to address the issue.

Ransomware activity saw a noticeable dip throughout April, with fewer observed cases compared to previous months. One potential contributor to this slowdown was the unexpected disappearance of the RansomHub leak site in early April, which may have disrupted affiliate operations or driven a temporary shift in group activity across the broader threat landscape.
‍

• Play ransomware was the most active variant seen in April. Threat actors using Play often gain access by exploiting vulnerabilities in exposed services and domain controllers before moving laterally and deploying ransomware. The group continues to rely on double extortion and remains a consistent threat to enterprise environments.
  ‍
• Akira continues to be one of the most widely used ransomware variants, offered through a RaaS model with ongoing impact across most industries. Akira offers a unique “deliverable menu” of paid services, including decryptors and data deletion options.
  ‍
• Qilin, Lynx, and DragonForce followed as the next most active variants. While activity was slightly lower than the top two, each group maintained steady usage and continues to be observed in ongoing campaigns.

Figure 1: Top ransomware variants based on number of known victims.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Akira, Qilin, DragonForce and Lynx.

Manufacturing & Production remained the most impacted industry in April based on observed ransomware leak site activity. The sector continues to face sustained targeting, likely due to its reliance on uninterrupted operations and high sensitivity to downtime.

Professional Services and Technology followed, with both sectors consistently impacted across multiple ransomware variants. These industries often support a wide range of clients and infrastructure, increasing their exposure to opportunistic and targeted attacks.

Construction & Engineering and Healthcare also remained frequent targets, reflecting the broad reach of ransomware operations.

Figure 2: Top industries impacted by ransomware this month.

‍These rankings are based on observed ransomware data leak
site (DLS) activity for impacted organizations in the United States.

Exploitation as a Primary Initial Access Vector
Throughout 2025, MOXFIVE has observed a significant number of ransomware intrusions originating from compromised virtual private network infrastructure. In many of these cases, multifactor authentication was either absent or inconsistently enforced. Additionally, insufficient monitoring and lack of account lockout mechanisms enabled threat actors to authenticate through brute-forcing credentials without triggering alerts, ultimately enabling unauthorized access.

The most recent trend observed by MOXFIVE involves threat actors deploying Akira and DragonForce ransomware variants to target WatchGuard VPN appliances. These attacks often involve the exploitation of publicly exposed vulnerabilities, particularly in environments where authentication controls are weak or inconsistently applied.

SonicWall VPN appliances have also been affected by recent vulnerability exploitation. The most recent SonicWall exploitation is CVE-2025-32819, an arbitrary file deletion vulnerability in SMA 100 series appliances that may have been exploited as a zero-day prior to disclosure. For more details, see SonicWall’s official advisory.

Black Basta affiliates have been observed using an automated brute-forcing tool known as BRUTED to compromise VPN and firewall credentials at scale. The tool targets a range of remote access services, including SonicWall NetExtender, Cisco AnyConnect, Fortinet SSL VPN, Palo Alto GlobalProtect, Citrix NetScaler, and WatchGuard SSL VPN. A similar publicly available tool is Medusa, a modular, high-speed login brute-force tool that supports parallel authentication attempts across multiple protocols. For more details on BRUTED and its use by Black Basta, see Cerium Networks’ April advisory.

These cases reinforce the need for organizations to treat VPN access as a high-risk entry point and secure it with the same rigor as any internet-facing system.

Strengthening VPN Security Controls
In response to the continued exploitation of VPN services by ransomware operators, organizations should prioritize the following controls to reduce the risk of unauthorized access:

• Enforce Multifactor Authentication: Require MFA for all VPN access to prevent compromise through stolen or reused credentials.
• Monitor VPN Login Activity: Set up alerts for unusual login patterns, such as logins from unfamiliar IPs, geographic anomalies, or failed login attempts.
• Patch and Maintain VPN Appliances: Ensure firmware and software updates are applied regularly to close known vulnerabilities.
• Implement Strong Password Policies: Enforce the use of long, unique passwords managed through a secure password management solution. Avoid password reuse across systems, and ensure credentials are stored and shared securely.
• Restrict VPN Access by Role: Limit VPN access to only the users and systems that require it, applying least privilege principles where possible.

Securing remote access infrastructure remains one of the most effective ways to disrupt common ransomware access pathways and limit exposure to credential-based attacks.

Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.