MOXFIVE | Monthly Insights

October Ransomware Highlights

Ransomware activity increased in October, driven by heightened deployment of Qilin and steady operations by Akira, Inc, and Play. Qilin was the most active variant, benefiting from a growing affiliate base following the RansomHub takedown. Manufacturing and Production remained the most impacted industry, followed by Healthcare, Technology, Retail and Hospitality, and Professional Services. Activity in these sectors reflected continued targeting of organizations with operational dependencies and integrated vendor networks.

October also included active exploitation of multiple vulnerabilities, including the Oracle E-Business Suite zero-day (CVE-2025-61882) associated with Cl0p and the Fortra GoAnywhere Managed File Transfer (MFT) deserialization flaw (CVE-2025-10035) leveraged in Medusa campaigns. MOXFIVE also observed the emergence of several new ransomware variants including Tengu, Genesis, Radiant, and Kryptos, each launching data leak sites (DLS) and posting initial victims. These developments reflect continued turnover within ransomware operations and reinforce the importance of adaptable resilience across enterprise environments.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

Oracle E-Business Suite zero-day (CVE-2025-61882): A remote code execution vulnerability in Oracle E-Business Suite has been exploited since late August by actors associated with Cl0p. The flaw allows unauthenticated access to core application components, enabling data theft and extortion consistent with Cl0p’s past operations. Oracle issued a security alert with fixes in early October 2025.
Fortra GoAnywhere MFT deserialization (CVE-2025-10035): MOXFIVE A critical deserialization vulnerability in the GoAnywhere MFT License Servlet allows unauthenticated remote command execution. Exploitation of this vulnerability has been linked to Medusa ransomware campaigns beginning in early September and continuing through October 2025. For additional details, see Fortra advisory

Active Threat Actors

There was a considerable increase in ransomware activity in October compared to previous months. Much of that activity can be attributed to ransomware campaigns where Qilin was deployed. Among the most active variants, Qilin, Akira, and Inc operate as ransomware-as-a-service (RaaS) offerings, while Play and Sinobi operate as closed groups.

Qilin was the most actively deployed ransomware in October. There is a payload for both Windows and Linux, enabling affiliates to target mixed environments and virtualization hosts in a single campaign. Qilin operators use a commission-based payment model similar to RansomHub, which has driven affiliate uptake since the RansomHub takedown.
Akira remained highly active through October. Affiliates exploited vulnerabilities in edge and remote access technologies for initial access, including the SonicWall vulnerability CVE-2024-40766.
Sinobi, Inc, and Play rounded out observed activity. Sinobi, first seen in late June 2025, increased quickly through October. Inc maintained multi-extortion operations using data theft, encryption, and leak-site pressure. Play relied on custom discovery tooling and tight operational control.

Graph showing the top ransomware variants based on number of known victims in September 2025. Akira - 25%, Play - 15%, Inc - 9%, Qilin - 9% and SafePay - 7%.

Figure 1: Top ransomware variants based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Qilin, Akira, Sinobi, Inc, and Play.

Top Industries Impacted by Ransomware

Manufacturing and Production was the most impacted industry in October, continuing a trend observed throughout 2025. Threat actors maintained focus on this sector due to the high operational impact of downtime and the use of connected supply chains that create multiple intrusion paths. Healthcare followed as the second most impacted industry, with reporting in October showing a shift from hospitals to healthcare vendors and service providers.

‍Technology, Retail and Hospitality, and Professional Services were also heavily impacted. Technology firms remained frequent targets because of their integration with client networks. Retail and Hospitality saw elevated targeting, with notable Sinobi activity observed against this sector. Professional Services continued to be targeted due to the potential for compromise to span multiple client environments.

Graph showing the industries most impacted by ransomware in September 2025. Manufacturing & Production - 19%, Technology - 19%, Healthcare - 11%, Construction & Engineering - 8%, and Professional Services - 8%.

Figure 2: Top industries impacted by ransomware this month.‍

Across most sectors, threat actors deploying Qilin ransomware had the greatest impact on overall activity. Akira was also widely observed in the wild, but impact in October was concentrated in the Manufacturing and Production and Technology sectors. Threat actors deploying Sinobi primarily targeted Healthcare and Retail and Hospitality.

Case Study - Emerging Ransomware Operations in October

MOXFIVE tracked several new ransomware variants that entered the threat landscape in October, each launching a leak site and posting initial victims. New ransomware operations appear every month, whether through new threat actors entering the landscape, rebrands of defunct groups, or the resurgence of older operations. MOXFIVE has experience assisting with some of the earliest cases involving new groups and continues to track emerging operations and extortion methods to remain proactive in supporting incident response and resilience planning.

Tengu – The newest of the groups, first observed on October 23, at this point, six victims have been published, none of which have been from the United States.
Genesis – The most active of the new groups, first observed on October 21, with ten victims listed to date, all based in the United States. Most of the victims were posted during the initial creation of the leak site.
Radiant – Is the second most active of these groups with eight victims posted since October 12. Targeting includes a variety of industries spread across multiple different countries.
Kryptos – Posted three victims on October 8 and has listed five in total. Targeting includes government, education, and legal or financial services sectors.

Resilience Spotlight - Protecting Oracle E-Business Suite

Ransomware and intrusion activity accelerated this month as new variants emerged, and AI-driven automation shortened attacker timelines. Resilience depends on a focused set of controls that consistently reduces impact across both established and emerging threats.

Critical Controls for Modern Resilience:

EDR Coverage and Detection Tuning: Maintain complete deployment across servers and endpoints with detections tuned to encryption activity, credential theft, and lateral movement.
Hardening and MFA Enforcement: Apply MFA everywhere, improve credential hygiene, and monitor Active Directory and cloud identity. These remain prime targets for ransomware crews and groups such as Famous Chollima.
Immutable Backups and Recovery Validation: Perform routine restoration tests to ensure clean and rapid recovery during encryption or extortion events.
Reduce External Exposure and Patch Quickly: Remove unnecessary internet facing services and remediate high risk vulnerabilities as AI-assisted scanning speeds up exploitation.
Centralized Logging and Analytics: Aggregate endpoint, identity, and network telemetry with tuned detections for data theft, staging, and automated intrusion patterns.

What We Are Watching:

AI-enabled intrusion automation shrinking detection windows
Identity focused attacks across VPN, SSO, Active Directory, and cloud roles
New ransomware entrants expanding multi extortion activity
Zero-day and edge service exploitation targeting enterprise systems

Recommended Tabletop Scenarios:

Rapid ransomware encryption in a hybrid environment
Identity compromise through VPN or SSO abuse
Zero-day exploitation of an internet facing application
Supply chain compromise affecting clients or vendors
Famous Chollima-style credential theft and persistent access activity

End of Year Priorities:

Validate EDR coverage and identity log completeness
Complete at least one full backup restoration test
Patch exposed systems and remove unnecessary access
Enforce MFA on all privileged and remote pathways
Conduct a focused ransomware or identity compromise tabletop

Top Playbooks to have Ready:

Ransomware Containment and Recovery
Privilege or Account Compromise
Business Email Compromise
Data Theft and Extortion
Third Party or Vendor Intrusion Escalation

How MOXFIVE Can Help
‍MOXFIVE supports organizations with control validation, resilience assessments, response playbook development, realistic tabletop exercises, exposure reduction, and backup and recovery testing. Our team aligns preventive, detective, and recovery controls to current ransomware and intrusion trends to strengthen resilience across modern enterprise environments. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.

MOXFIVE Monthly Insights - October 2025In this newsletter, we share the latest ransomware and threat actor insights from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.