MOXFIVE Monthly Insights - September 2025
In this newsletter, we share the latest ransomware and threat actor insights from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

September Ransomware and Threat Intelligence Highlights

Ransomware activity increased slightly in September, led by Akira and Play, which continued to account for a significant portion of observed incidents across multiple sectors. Inc, Qilin, and SafePay followed in overall activity, maintaining steady operations throughout the month. Manufacturing and Production, and Technology were the most impacted industries, reflecting continued targeting of organizations with complex vendor ecosystems and operational dependencies.

September also saw continued exploitation of SonicWall SSL VPN appliances through CVE-2024-40766, primarily linked to Akira ransomware intrusions. The most significant development of the month was the exploitation of a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) by threat actors associated with Cl0p. The campaign involved widespread data theft and extortion targeting enterprise environments, consistent with Cl0p’s history of exploiting high-impact software vulnerabilities.

Top Threats & Exploits

Phishing emails, VPN vulnerabilities, lack of Multifactor Authentication (MFA), software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• Oracle E-Business Suite zero-day (CVE-2025-61882): A remote code execution vulnerability in Oracle E-Business Suite (EBS) has been exploited since late August by actors associated with Cl0p. The flaw allows unauthenticated access to core application components, enabling data theft and extortion consistent with Cl0p’s past operations. More details are provided in the Case Study below.
  
• SonicWall SSL VPN improper access control (CVE-2024-40766): MOXFIVE continues to observe threat actors exploiting this vulnerability, in most cases to deploy Akira ransomware. The issue affects SonicWall firewall appliances and allows unauthorized access to the SonicOS management interface under specific conditions. Activity remains most common among organizations that migrated from Gen 6 to Gen 7 devices without resetting local account passwords. MOXFIVE released a vulnerability alert covering this in more detail here.

Active Threat Actors

Overall, ransomware activity increased slightly in September compared to August. Akira maintained the top position, followed closely by Play. Groups like Akira, Inc, and Qilin all operate as a ransomware-as-a-service (RaaS) model and continue to be a popular option for affiliate threat actors looking to deploy ransomware.

• Akira remains one of the most active RaaS operations in 2025. Threat actors deploying the ransomware are frequently observed exploiting vulnerabilities in edge and remote-access technologies for initial access, including SonicWall CVE-2024-40766.
  
• Play claims to operate as a closed group rather than an open RaaS model and continues to demonstrate strong operational consistency. Play intrusions often involve the use of custom tooling for network discovery and data exfiltration prior to encryption.
• Inc, Qilin, and SafePay followed in overall activity. Inc continues to conduct multi-extortion operations combining data theft and encryption with public leak pressure. Qilin maintains a dual-payload model for Windows and Linux systems with a high commission structure that continues to attract affiliates. SafePay sustains steady levels of activity through 2025, with intrusions primarily relying on credential-based access methods.

Figure 1: Top ransomware variants based on number of known victims.

The ransomware and industry rankings below are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on Akira, Play, Inc, and Qilin.

Top Industries Impacted by Ransomware

Manufacturing and Production and Technology were the most impacted industries in September, each accounting for a significant portion of observed ransomware activity.  

‍Healthcare ranked third, followed by Construction and Engineering and Professional Services. The distribution of activity across these sectors reflects the continued focus of ransomware operators on critical services and industries with high operational dependencies.

Figure 2: Top industries impacted by ransomware this month.‍

Case Study - Cl0p Extortion Campaign

In late September, MOXFIVE observed a widespread extortion campaign conducted by threat actors associated with the Cl0p group. The threat actors sent a high volume of emails to organizations claiming to have accessed and exfiltrated data from Oracle E-Business Suite (EBS) environments. MOXFIVE published a Threat Actor Alert summarizing initial findings related to the campaign. Oracle later confirmed that it was a critical vulnerability, tracked as CVE-2025-61882, that allows unauthenticated remote code execution through the BI Publisher Integration component of the EBS Concurrent Processing product. The exploitation activity began as early as August, weeks before a fix was available, and targeted supported versions 12.2.3 through 12.2.14. Oracle released an emergency patch on October 4 and strongly recommends that customers apply all updates detailed in its Security Alert Advisory for CVE-2025-61882.

This activity reflects Cl0p’s established operational model, which centers on exploiting newly disclosed or unpatched vulnerabilities in enterprise software to enable large-scale data theft and extortion. Similar operations have included exploitation of MOVEit Transfer, GoAnywhere MFT, and Accellion FTA. In each case, Cl0p leveraged zero-day or near-zero-day vulnerabilities in business-critical systems to steal data from multiple organizations, later issuing coordinated extortion demands. The Oracle EBS campaign continues this pattern, demonstrating the group’s ongoing focus on vulnerabilities that allow pre-authentication access to high-value corporate data.  

How MOXFIVE Can Help

• Rapid incident response and compromise assessments to validate whether systems were impacted prior to patch deployment.
• Exposure and vulnerability analysis to identify at-risk assets and reduce external attack surface.
• Security architecture and control validation to ensure monitoring, segmentation, and logging practices align with best practices.
• Resilience testing and tabletop exercises to evaluate detection and response readiness for similar exploitation scenarios.
• Programmatic support and remediation planning to close identified gaps in people, process, and technology.

Resilience Spotlight - Protecting Oracle E-Business Suite

The Oracle E-Business Suite campaign shows the importance of proactive patch management, controlled exposure of enterprise applications, and ongoing monitoring of public-facing systems. Threat actors associated with Cl0p exploited a remotely accessible, unauthenticated vulnerability before a patch was available, reinforcing the need for strong preventive and detection controls across enterprise environments.

Key Resilience Actions:

• Apply emergency updates:
  Confirm that all Oracle E-Business Suite servers are fully patched, including prerequisite Critical Patch Updates and the October 2025 fix for CVE-2025-61882. If patching was delayed, conduct a targeted compromise assessment using published indicators of compromise (IOCs), such as known file names, IP addresses, and commands, to identify potential evidence of exploitation.
  
• Restrict public access:
  ‍Minimize the external exposure of Oracle administrative and application interfaces through network segmentation, reverse proxy filtering, or VPN-based access. Confirm that only required endpoints are accessible from the internet.
• Enhance visibility:
  Enable detailed web request, authentication, and API logging within Oracle E-Business Suite, capturing parameters, headers, and session identifiers. Retain logs for an appropriate period to support forensic investigations and forward them to a centralized SIEM for correlation and custom detection rule development.
• Monitor for abnormal activity:
  Maintain Endpoint Detection and Response (EDR) coverage across supported systems to identify suspicious processes, persistence techniques, and lateral movement indicative of post-exploitation activity.
• Validate resilience controls:
  Integrate regular patch validation and external exposure assessments. Use findings to continuously improve preventive and detective capabilities against future exploitation campaigns.

If you missed our Mid-Year Ransomware Briefing where we covered the latest developments and key trends for cyber incidents so far this year, it's now available online. Watch Now >>

Need Help Now? Whether you need help responding to an incident or are just trying to better prepare for one, we can help. Contact us at 833-568-6695 or email our team directly at incident@moxfive.com.