Ransomware activity was lower than usual throughout May 2025 likely due to threat actors still adjusting to the operational disruption caused by RansomHub’s disappearance in April. Qilin and Play were the most active variants this month, with increased volume likely tied to shifting affiliate activity.
This report also highlights the exploitation of critical vulnerabilities in SAP NetWeaver and Ivanti EPMM, both of which have been actively exploited by threat actors. The featured case study examines how threat actors use living off the land (LOTL) techniques to evade detection and escalate access post-compromise. The Resilience Spotlight outlines key controls for identifying and disrupting this behavior through behavioral monitoring and credential auditing.
Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.
Ransomware activity levels remained relatively low throughout May 2025, likely due to threat actors still transitioning away from RansomHub following its disappearance in April. Qilin’s elevated volume may be tied to this shift, as the operators offer a similar payment structure that could appeal to former RansomHub affiliates.
Figure 1: Top ransomware variants based on number of known victims.
For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin and Akira.
Manufacturing & Production remained the most impacted industry in May based on observed ransomware leak site activity. Construction & Engineering followed as the second most targeted, with both sectors frequently affected across multiple ransomware variants due to their operational dependencies and sensitivity to disruption.
Technology, Healthcare, and Education also ranked among the top targeted industries, reflecting the continued spread of ransomware across critical services, infrastructure, and institutions.
Figure 2: Top industries impacted by ransomware this month.
These rankings are based on observed ransomware data leak
site (DLS) activity for impacted organizations in the United States.
Living off the Land
Advanced threat actors often rely on “living off the land” (LOTL) techniques to persist within compromised environments, evade detection, and escalate access. Rather than deploying malware, they abuse legitimate tools and cloud-native features already present in the environment to blend in with normal activity.
One group known for using these tactics is Scattered Spider, which has demonstrated the use of native tooling to support lateral movement, persistence, and data staging all while evading traditional detection.
LOTL techniques are commonly observed during ransomware investigations, particularly in the post-compromise phase when threat actors begin expanding access and preparing data for exfiltration. MOXFIVE has observed the following LOTL behaviors across recent cases:
Detecting & Disrupting LOTL Activity
Living off the land techniques often evade traditional detection methods by leveraging legitimate tools and processes. Detecting and disrupting this activity requires greater behavioral visibility and monitoring of native tool usage. The following controls can help improve detection and limit post-compromise escalation:
Improving visibility into legitimate tool usage and tightening control over credential access and automation pathways can help reduce dwell time and disrupt post-access activity before it escalates.
Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.