MOXFIVE Monthly Insights - August 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

August Highlights

Ransomware activity slowed slightly in August compared to July, a seasonal trend often seen towards the end of summer. Akira and Qilin remained among the most actively deployed ransomware, while Manufacturing and Production was the most impacted industry.

The month also brought continued exploitation of a WinRAR zero-day (CVE-2025-8088) and the release of public exploit code for SAP NetWeaver. This report also covers the emergence of LunaLock, a new ransomware variant that introduced an unorthodox extortion method by threatening to release stolen artwork to AI companies for use in training datasets.

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• WinRAR Path Traversal Vulnerability (CVE-2025-8088): A zero-day path traversal flaw in WinRAR enables attackers to execute code via malicious archive files. Patched on July 30, the vulnerability was actively exploited through August by RomCom, a Russia-aligned threat group. See WinRAR’s release notes here.
  
• SAP NetWeaver Exploit Chain (CVE-2025-31324 and CVE-2025-42999): Chained vulnerabilities in SAP NetWeaver Visual Composer allow unauthenticated attackers to bypass authentication and achieve remote code execution with administrator privileges. While patched in April and May, the public exploit code was released in August and has been weaponized by ransomware and espionage actors. Relevant SAP security notes can be found here.  

Overall, there was a slight decrease in ransomware activity in August compared to July, this is a common occurrence as the summer months draw to a close.

• Akira and Qilin remained the most active groups. Both operate as Ransomware-as-a-Service (RaaS) and have consistently driven high volumes of activity due to their popularity among affiliates. Akira has led much of the activity observed in 2025, while Qilin’s commission model continues to attract affiliates.
  
• Play maintained steady levels of activity in August. The group operates as a closed team rather than an open RaaS, and continues to have a significant impact without relying on a broad affiliate base. SafePay also remained active during the month, steadily increasing its activity throughout 2025.
• Sinobi was first observed in late June and has grown in visibility through August. MOXFIVE assisted with one of the earliest cases involving this ransomware and is continuing to monitor changes in tactics as the group evolves.

Figure 1: Top ransomware variants based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Akira, and Play.

Manufacturing and Production was the most impacted industry in August based on observed ransomware activity. This sector has been a primary target for ransomware throughout the year, likely due to reliance on operational technology and complex supply chains.

‍Healthcare ranked second after a quieter July, while Technology followed as the third most impacted sector. Construction and Engineering and Retail and Hospitality rounded out the top five for this month.

Figure 2: Top industries impacted by ransomware this month.‍

New LunaLock Ransomware Introduces Artwork Extortion via AI Threats In early September, a leak site was created for a new ransomware variant called LunaLock. The site contained a single posting tied to the art marketplace sector that included a $50,000 ransom demand. The operators combined traditional encryption and data theft with a new pressure tactic by threatening to submit stolen artwork to AI companies for inclusion in training datasets. Figure 3 shows the extortion notice published on the site.

Figure 3: LunaLock Data Leak Site.

‍This case reflects how ransomware operators are testing modern extortion approaches that go beyond publishing stolen data. By linking their demands to the threat of releasing artwork for AI training datasets, the actors behind LunaLock introduced a unique but modern tactic intended to broaden the pressure on victims.

MOXFIVE observed LunaLock as part of our ongoing analysis of emerging ransomware variants. We continue to track new groups and extortion methods to remain proactive in supporting incident response and resilience planning.

Preparing for Unorthodox Extortion Methods

‍Ransomware groups are experimenting with new ways to pressure victims by threatening to use stolen data outside of traditional leak sites. In the case of LunaLock, the actors tied stolen artwork to a ransom demand with the claim it would be submitted to AI companies for training datasets. While this method may be novel, the objective remains the same: increase leverage by creating reputational, financial, or operational risk beyond data exposure.

Preparing for these tactics requires treating data governance as a core resilience measure. Organizations benefit from identifying and prioritizing sensitive data, reducing unnecessary access, and maintaining visibility into exfiltration attempts. Incident response planning should also account for extortion scenarios that move beyond conventional leaks.  

If you missed our Mid-Year Ransomware Briefing where we covered the latest developments and key trends for cyber incidents so far this year, it's now available online. Watch Now >>

Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.