MOXFIVE | Monthly Insights

December Ransomware Highlights

December closed out 2025 as one of the year's most active months for ransomware, with established operations maintaining momentum and edge networking equipment representing a key exploitation target. Qilin and Akira continued to dominate deployment activity, with concentrated targeting of Manufacturing and Production, Construction and Engineering, and Technology sectors. These industries face heightened risk due to operational dependencies and supply chain complexity that create significant leverage for extortion.

Throughout December we saw widespread exploitation of authentication and edge device vulnerabilities, including critical flaws in Gladinet CentreStack, Fortinet FortiCloud SSO, and WatchGuard Fireware OS. This month's Case Study examines LockBit 5.0, which showed significant activity in December and warrants monitoring heading into 2026. The Resilience Spotlight provides guidance on controls for defending against both emerging and long-standing ransomware threats.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

Gladinet CentreStack and Triofox hardcoded cryptographic keys (CVE-2025-14611): This vulnerability arises from hardcoded AES cryptographic keys that allow threat actors to forge access tickets and achieve arbitrary file read without authentication. Although disclosed in December 2025, exploitation was observed starting in November. The vulnerability allows threat actors to access web.config files and can be chained with CVE-2025-30406 for remote code execution.
Fortinet FortiCloud SSO authentication bypass (CVE-2025-59718/CVE-2025-59719): These vulnerabilities stem from improper verification of cryptographic signatures that allow unauthenticated attackers to bypass FortiCloud Single Sign-On authentication via crafted SAML messages. Disclosed in December 2025, exploitation was observed shortly after affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager products when the FortiCloud SSO feature is enabled.
WatchGuard Fireware OS out-of-bounds write (CVE-2025-14733): An out-of-bounds write vulnerability in the Internet Key Exchange Daemon (iked) process allows remote unauthenticated attackers to execute arbitrary code on Firebox devices. The vulnerability affects IKEv2 VPN configurations with dynamic gateway peers and was actively exploited in December 2025 as part of a wider campaign targeting edge networking equipment.

Active Threat Actors

Ransomware activity increased in Q4 2025 compared to previous quarters, with December ranking as one of the most active months of the year. Qilin and Akira remained the most actively deployed ransomware throughout all of 2025, with over 1,500 victims published to their leak sites this year. Both groups operate under ransomware-as-a-service models that continued to drive a significant portion of activity through widespread affiliate deployment.

Qilin continued to be one of the most actively deployed ransomware variants in 2025. The group operates under a commission-based ransomware-as-a-service model, offering affiliates up to 80-85% of ransom payments. After RansomHub went offline in April 2025, Qilin absorbed many of its former affiliates and surged to become one of the year's most prolific groups.
Akira also remained one of the most frequently deployed ransomware variants throughout 2025. The group maintained steady activity supported by affiliates that rely on credential-based access and remote-access intrusion methods, with continued focus on exploiting SonicWall SSL VPN vulnerabilities for initial access.
Sinobi, SafePay, and DragonForce all remained active in December. Sinobi is a ransomware operation that has rapidly scaled activity since emerging in mid-2025. SafePay operates as a centralized group that emerged in late 2024 and has rapidly scaled operations targeting small-to-midsize businesses with double extortion tactics. DragonForce transitioned from a ransomware-as-a-service model to a cartel structure in March 2025, allowing affiliates to operate under their own brands while using shared infrastructure and tools.

Graph showing the top ransomware variants based on number of known victims in September 2025. Akira - 25%, Play - 15%, Inc - 9%, Qilin - 9% and SafePay - 7%.

Figure 1: Top ransomware variants based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Akira, Sinobi, SafePay, and DragonForce.

Top Industries Impacted by Ransomware

Manufacturing and Production remained the most impacted industry in December, continuing a trend observed throughout 2025. Threat actors continue to target this sector due to the high impact that business interruption can have and the use of connected supply chains that create multiple paths for initial access. Technology was the second most impacted industry, as service providers and software platforms often maintain direct integration with client networks and cloud environments, increasing the potential impact of a single intrusion.

Technology, Healthcare, and Retail and Hospitality also saw consistent ransomware activity in December. Technology organizations remained attractive targets as service providers and software platforms often

Graph showing the industries most impacted by ransomware in September 2025. Manufacturing & Production - 19%, Technology - 19%, Healthcare - 11%, Construction & Engineering - 8%, and Professional Services - 8%.

Figure 2: Top industries impacted by ransomware this month.‍

maintain direct integration with client networks and cloud environments, increasing the potential impact of a single intrusion. Healthcare organizations continued to face attacks due to the sensitivity of patient and operational data and their limited tolerance for sustained outages. Retail and Hospitality incidents often involved organizations that process payment data or operate distributed physical locations, exposing point-of-sale systems and supporting infrastructure.

Across these industries, Qilin activity spanned most sectors throughout December. Akira activity was primarily concentrated in Manufacturing and Production as well as Construction and Engineering. The remaining top variants were distributed across multiple industries, with no single sector dominating their targeting patterns.

Case Study - LockBit 5.0 December Operations

Despite a major law enforcement disruption in early 2024, the LockBit ransomware operation persisted, with operators launching LockBit 5.0 in September 2025. In December, over 80 victims were posted on the LockBit 5.0 leak site, though some postings may include re-published data from earlier LockBit operations. Victims spanned multiple industries with Technology and Manufacturing & Production being the most heavily impacted sectors. While United States organizations represented the highest percentage of victims by country, targeting was significantly more geographically diverse compared to other leading ransomware operations, with substantial activity concentrated in Brazil, Germany, Turkey, and France. Threat actor group targeting pattern warrants close monitoring as affiliate recruitment expands, and operational focus may shift more heavily toward United States-based entities.

LockBit 5.0 introduced the following new enhancements:

Two-stage modular architecture: The variant separates the loader from the encryption payload, with the loader handling evasion while the payload executes encryption, improving stealth and complicating detection.
Redesigned affiliate control panel: Features clean formatting and comprehensive documentation not present in earlier versions, lowering the technical barrier for affiliates.
Removed infection markers: Traditional file-ending markers used by security researchers for analysis and identification were eliminated.

Figure 3: LockBit 5.0 Data Leak Site.

LockBit first emerged in 2019 and quickly grew to become one of the largest ransomware-as-a-service operations globally. Following Operation Cronos in February 2024, which seized infrastructure, exposed affiliate data, and resulted in several arrests, key members of the operation evaded capture and kept LockBit alive. In September 2025, LockBit operators officially announced LockBit 5.0 on underground forums, marking the operation's sixth anniversary and calling for new affiliates to join. The variant's modular architecture and improved evasion capabilities signal the operation's continued viability as a ransomware threat heading into 2026.

Resilience Spotlight - Defending Against Established Ransomware Operations

LockBit 5.0 demonstrates how established ransomware operations can maintain continuity and resume large-scale campaigns following infrastructure disruption. The variant's cross-platform capabilities, enhanced evasion mechanisms, and mature affiliate network represent the type of persistent, well-resourced threat that can impact organizations across industries and geographies. Resilience in this environment depends on a focused set of controls that reduce the impact of ransomware operations regardless of whether they are newly emerged variants or long-standing groups with proven track records.

Critical Controls for Modern Resilience:

EDR Coverage and Detection Tuning: Maintain complete deployment across servers and endpoints with detections tuned to encryption activity, credential theft, and lateral movement. Ensure tamper protections are in place to prevent the uninstall of sensors and security policy modifications.
Network Segmentation: Ensure access to management of critical infrastructure such as VMware ESXi/vCenter and backups are restricted to connections coming from a trusted host (e.g., jump box), not integrated into Active Directory, and use credentials that are protected and not used anywhere else in the environment.
Hardening and MFA Enforcement: Apply MFA everywhere, improve credential hygiene, monitor Active Directory, and cloud identities. These remain prime targets for ransomware operators and access brokers.
Immutable Backups and Recovery Validation: Perform outine restoration tests to ensure clean and rapid recovery during encryption or extortion events.
Reduce External Exposure and Patch Quickly: Remove unnecessary internet-facing services and remediate high-risk vulnerabilities as established ransomware operations continue to exploit known weaknesses.
Centralized Logging and Analytics: Aggregate endpoint, identity, and network telemetry with tuned detections for data theft, staging, and automated intrusion patterns. Ensure logging from systems unable to be covered by EDR, such as VMware ESXi, are also included.

How MOXFIVE Can Help
‍
‍MOXGUARD: Strategic advisory including AD/identity assessments, CVE alerting prioritized to active ransomware exploitation, guidance on segmentation and backup hardening, tabletop exercises with response playbooks, and pre-positioned incident response.

‍Professional Services: Control validation through EDR coverage assessments, purple team exercises, network segmentation reviews, backup immutability and restoration testing, external attack surface reduction, and SIEM/XDR detection engineering. Our team has handled hundreds of ransomware cases against Qilin, Akira, LockBit, and other active operations, aligning preventive, detective, and recovery controls to current threat actor TTPs.

Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.

MOXFIVE Monthly Insights - December 2025In this newsletter, we share the latest ransomware and threat actor insights from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.