Ransomware Activity Stabilizes at Elevated Levels in Q1 2026, Shifting Tactics and Targets The first quarter of 2026 marked a period of sustained ransomware activity, with attack volumes remaining steady compared to both the previous quarter and the same period in 2025, according to GuidePoint Security’s Ransomware and Cyber Threat Insights report. After a late-2025 surge, the threat landscape has settled into a "new normal," with no significant spikes or declines in victim counts or active ransomware groups. ### Key Trends in Ransomware Activity The most active ransomware group, Qilin, claimed 361 victims a 25% drop from its Q4 2025 peak of 484. Meanwhile, The Gentlemen, a relative newcomer that ranked 16th in Q4 2025 with just 35 victims, surged to 182 victims, becoming the second-most active group. Akira, another long-standing player, saw a 22% decline in activity (from 226 to 176 victims), likely due to the waning effectiveness of its exploitation of SonicWall SSL VPN vulnerabilities. Clop continued its prolonged extortion campaign, posting victims in Q1 2026 from breaches that occurred in late 2025 a tactic consistent with its history of stretching out disclosures over months. ### Geographic and Sector Shifts The U.S. remained the top target, accounting for 51% of all ransomware victims (1,084 incidents), followed by the U.K. and Canada (4% each, 88 incidents). Thailand entered the top 10 for the first time, signaling growing ransomware impacts in developing economies. Brazil and India also remained frequent targets, reflecting persistent threats to emerging markets. While manufacturing remained the most targeted sector, construction saw a 44% year-over-year increase, pushing it into the top five. This shift suggests attackers are expanding into industries with weaker cybersecurity defenses but valuable operational data. ### Evolving Tactics: Extortion Over Encryption Ransomware groups are increasingly abandoning traditional encryption-based attacks in favor of data theft and extortion-only operations. This approach reduces operational complexity while maintaining pressure on victims through the threat of public data leaks. ### Emerging and Declining Threat Groups - NightSpire, a financially motivated group operating since 2025, claimed 74 victims in Q1 2026 alone, primarily targeting SMBs with unpatched FortiOS/FortiProxy vulnerabilities (CVE-2024-55591). The group relies on living-off-the-land tools (PowerShell, PsExec, WMI) to evade detection. - Scattered Spider, LAPSUS$, and ShinyHunters rebranded under the unified banner "Scattered LAPSUS$ Hunters" in August 2025, though the move reflected overlapping membership rather than a true merger. The group remains highly efficient, compressing attack timelines to 24–48 hours and has been linked to over $66 million in extortion demands since 2022. - Akira, one of the longest-operating RaaS groups (active since 2023), saw its victim count drop after peaking in Q4 2025, likely due to declining exploitation of SonicWall flaws. ### AI Supply Chain Attack Highlights New Risks In February 2026, VirusTotal reported the first large-scale supply chain attack on an AI platform, targeting OpenClaw’s skills marketplace. Attackers published 314 malicious "skills" automation tools disguised as legitimate software that delivered information-stealing malware. The incident underscored the growing risks of agentic AI systems, which rely on instruction-based (rather than code-based) extensions, making traditional malware detection less effective. ### Outlook: Stability with Potential Disruptions While Q1 2026 saw no major shifts in overall ransomware volume, GuidePoint warned that periods of stability have historically been short-lived. The report noted that law enforcement actions, internal conflicts, or new group formations could disrupt the current equilibrium. Additionally, a mid-year "summer slowdown" a recurring dip in victim claims between Q2 and Q3 may temporarily reduce activity before potential resurgences later in the year.

GreyNoise Report: Exploitation Surges Often Precede Vulnerability Disclosures by Weeks A recent report from threat intelligence firm GreyNoise reveals that hackers frequently begin exploiting software vulnerabilities before vendors publicly disclose them sometimes weeks in advance. Analyzing attack patterns between mid-December 2025 and late March 2026, GreyNoise found that nearly half of all scanning and exploitation surges targeting specific products were followed by vulnerability disclosures within three weeks. The median time between a surge in malicious activity and a vendor’s disclosure was 11 days, offering organizations a potential early warning to patch or harden systems. Of the 42 scanning events observed, 57% led to disclosures, while 56% of brute-force attempts and 42% of remote-code-execution (RCE) probes also preceded public CVEs. The report highlights distinct patterns in attacker behavior: - Scanning activity was widely dispersed, with many IP addresses conducting a few sessions each likely broad reconnaissance. - Later-stage attacks (brute-force and RCE) were more concentrated, with fewer IPs generating high session volumes, suggesting targeted exploitation. - High-severity flaws generated the most probing activity, with some exploitation detected up to 39 days before disclosure. Notable examples include: - A Cisco vulnerability exploited in five surges over 18 days before disclosure, with IP activity dropping but session counts rising a shift from reconnaissance to focused attacks. - Juniper, SonicWall, and Ivanti flaws also saw early exploitation, with one Ivanti flaw targeted 36 days prior to disclosure. GreyNoise’s findings underscore that exploitation surges can serve as an early indicator of undisclosed vulnerabilities, particularly for critical infrastructure vendors. The data suggests that organizations monitoring such activity may gain a critical window to mitigate risks before patches are available.

SonicWall suffered a prolonged ransomware campaign by the Akira group, exploiting compromised VPN credentials (SSLVPN services) as the primary initial access vector. The attack involved credential stuffing and brute-force techniques, targeting weak or absent MFA controls and insufficient lockout policies. The breach extended to SonicWall’s cloud service, exposing sensitive configuration backups of client devices—critical data that could facilitate further attacks on customers. Akira accounted for 39% of Beazley’s incident response cases in Q3, highlighting systemic vulnerabilities in SonicWall’s security posture. The incident underscores the risk of leaked credentials on the dark web, which were weaponized to deploy ransomware across multiple victim environments. The compromise not only disrupted SonicWall’s operations but also amplified supply-chain risks for its clients, as attackers leveraged stolen backups to exploit downstream targets. The financial and reputational damage includes regulatory scrutiny, customer distrust, and potential litigation, compounded by the operational outages caused by ransomware encryption. The attack also revealed critical gaps in patch management, as Akira exploited unpatched systems alongside weak credential hygiene. While the report does not confirm data exfiltration beyond configuration backups, the potential for broader data leaks (e.g., customer or employee PII) remains a latent risk, given the nature of ransomware operations. The incident aligns with broader trends where VPN appliances are prime targets, with SonicWall’s breach serving as a case study in how initial access brokers monetize stolen credentials to deploy high-impact ransomware.

Payouts King Ransomware Abuses QEMU for Stealthy Attacks The Payouts King ransomware operation is leveraging the QEMU emulator as a reverse SSH backdoor to deploy hidden virtual machines (VMs) on compromised systems, evading endpoint security detection. QEMU, an open-source virtualization tool, allows attackers to execute malicious payloads, store files, and establish covert remote access tactics previously observed in campaigns by 3AM ransomware, LoudMiner, and CRON#TRAP. ### Two Active Campaigns Cybersecurity firm Sophos identified two distinct campaigns exploiting QEMU: 1. STAC4713 (Payouts King) - First observed in November 2025, linked to the GOLD ENCOUNTER threat group. - Initial access via exposed SonicWall VPNs and later through SolarWinds Web Help Desk (CVE-2025-26399). - More recent attacks used Cisco SSL VPN exploits and Microsoft Teams phishing, tricking employees into installing QuickAssist. - Attackers deploy a hidden Alpine Linux VM (v3.22.0) via a scheduled task (TPMProfiler), disguising virtual disks as databases or DLLs. - Tools inside the VM include AdaptixC2, Chisel, BusyBox, and Rclone, with reverse SSH tunnels for persistence. - Post-infection, they exfiltrate NTDS.dit, SAM, and SYSTEM hives via SMB and Rclone to remote SFTP servers. 2. STAC3725 (CitrixBleed 2 Exploitation) - Active since February 2025, targeting NetScaler ADC/Gateway (CVE-2025-5777). - After compromise, attackers deploy a ZIP archive containing a malicious executable that: - Installs a service (AppMgmt). - Creates a local admin user (CtxAppVCOMService). - Deploys ScreenConnect for persistence. - A QEMU-based Alpine Linux VM is then launched, where attackers manually install tools like Impacket, KrbRelayx, BloodHound.py, and Metasploit for credential harvesting, AD reconnaissance, and data exfiltration via FTP. ### Ransomware Tactics & Attribution Payouts King employs AES-256 (CTR) + RSA-4096 encryption, intermittent file encryption, and anti-analysis techniques. Ransom notes direct victims to dark web leak sites. Zscaler suggests ties to former BlackBasta affiliates, citing similar initial access methods (e.g., spam bombing, Teams phishing, Quick Assist abuse). The group also terminates security tools via low-level system calls and establishes persistence through scheduled tasks. Organizations are advised to monitor for unauthorized QEMU installations, suspicious SYSTEM-level tasks, and unusual SSH port forwarding.

Massive Ransomware Attack on Fintech Firm Exposes 1.35 Million Bank Customers A ransomware attack on U.S.-based fintech provider Marquis, which serves over 700 banks and credit unions, has compromised the personal and financial data of nearly 1.35 million customers—far exceeding initial estimates of 400,000. The breach, disclosed between October 27 and November 25, exposed sensitive details, including bank account numbers, debit and credit card information, across at least 74 of Marquis’s clients. The incident underscores a critical vulnerability in the financial sector’s supply chain security, particularly the often-overlooked risk posed by "fourth-party" vendors—the suppliers of a bank’s third-party providers. The attack exploited a vulnerability in a SonicWall firewall used by Marquis, highlighting gaps in due diligence. While 95% of bank directors assess third-party security, only 40% extend scrutiny to fourth parties, according to cybersecurity firm Qualys. The fallout is expected to reshape risk management practices. Banks are likely to tighten vendor contracts, demand continuous vulnerability scanning, and face higher cyber insurance premiums—which have already surged 30-50% post-breach. Regulators may also intervene, with U.S. agencies (FDIC/OCC) and UK authorities (FCA/PRA) poised to impose stricter controls, including mandatory monitoring and shared encryption responsibilities. Beyond financial penalties, the breach could lead to brand damage, executive liability, and even judicial consequences for institutions failing to secure their supply chains. The attack aligns with broader trends: a Semperis report reveals that 52% of ransomware incidents occur on weekends or holidays, while attackers increasingly use regulatory complaints and physical threats as extortion tactics. The incident serves as a stark reminder of the escalating sophistication of cybercriminals targeting financial infrastructure.

Wisner Baum LLP Investigates Data Breach Impacting Sensitive Personal Information On January 26, 2026, Edelson Lechtzin LLP announced an investigation into a data breach at Wisner Baum LLP, a Los Angeles-based law firm specializing in litigation against major corporations. The breach was first detected on October 9, 2025, when Wisner Baum identified suspicious activity on its IT network. An internal investigation revealed that an unauthorized third party accessed the firm’s systems between October 8 and October 9, 2025, potentially exfiltrating files containing sensitive personal data. Affected information may include names, driver’s license numbers, bank account and routing details, and medical records. Edelson Lechtzin LLP is exploring legal action on behalf of individuals whose data may have been compromised. The firm, known for handling class action lawsuits involving data breaches, securities fraud, and consumer protection cases, is currently gathering information from impacted parties. No further details on the scope of the breach or the number of affected individuals have been disclosed at this time. The incident remains under investigation.

A sophisticated cyberattack campaign targeted SonicWall SSL VPN devices, compromising over 100 accounts since early October. Attackers exploited valid, exposed credentials (not brute-force) from a centralized IP (202.155.8.73), indicating a premeditated, highly coordinated operation. The breach aligns with SonicWall’s disclosure that unauthorized parties accessed encrypted firewall configuration backups (containing sensitive credentials) via the MySonicWall cloud platform, contradicting their earlier claim that only <5% of installations were affected.The attackers conducted reconnaissance, credential validation, and network scans, escalating to attempts at accessing local Windows accounts on compromised systems. While SonicWall denies a direct link between the backup leak and VPN intrusions, the timing and methodical approach suggest exploitation of stolen configurations. The risk includes catastrophic data loss, lateral movement, and further system compromise, prompting urgent remediation: credential resets, service disablement (HTTP/S, SSH, SSL VPN), MFA enforcement, and enhanced logging.The attack’s scale, precision, and potential for widespread exploitation—leveraging leaked configurations—poses a severe threat to global organizations relying on SonicWall’s infrastructure. Immediate action is critical to prevent further intrusions and mitigate damage.

SonicWall detected a security incident where threat actors accessed encrypted backup firewall preference files stored in the MySonicWall cloud service for fewer than 5% of its firewall install base. Although no files were leaked online, the exposed data included encrypted credentials and configuration details that could facilitate further exploitation of affected firewalls. The breach resulted from brute-force attacks targeting the cloud backup service, not ransomware. SonicWall locked out the attackers, notified authorities, and urged impacted customers to reset credentials, reconfigure VPN pre-shared keys, and update TOTP bindings to mitigate risks. The remediation process requires importing new preference files, which disrupts VPNs and user access, necessitating manual reconfiguration. The company emphasized no evidence of data leaks but warned of potential follow-on attacks if exposed configurations were misused.

Marquis Software Solutions, a Texas-based technology provider serving over 500 banks and credit unions, detected unauthorized network activity on August 14, 2025. A third-party breach investigation confirmed that an attacker accessed and exfiltrated sensitive files from its systems, exposing personally identifiable information (PII) of individuals associated with clients like CoVantage Credit Union. The compromised data included names, addresses, phone numbers, Social Security numbers, financial account details, and dates of birth—high-risk information for identity theft and financial fraud. Notifications to affected individuals began in late October 2025, with at least 22 New Hampshire residents confirmed impacted as of November 26, 2025. While the breach was isolated to Marquis’ environment (sparing CoVantage’s internal systems), the scale of exposed data—particularly SSNs and financial records—poses severe risks of fraud, phishing, and long-term identity exploitation. Marquis offered 24 months of credit monitoring via Epiq Privacy Solutions, but the incident underscores systemic vulnerabilities in third-party vendors handling sensitive financial data. Legal firms are pursuing class-action lawsuits for compensation, citing negligence in safeguarding consumer information.

A suspected zero-day vulnerability in SonicWall firewall devices has led to a significant increase in ransomware attacks by the Akira ransomware group. The flaw allows attackers to gain initial access to corporate networks through SonicWall's SSL VPN feature, leading to subsequent ransomware deployment. The attackers have bypassed multi-factor authentication (MFA), indicating a sophisticated attack vector. The time between the initial VPN breach and the deployment of ransomware is short, giving victims little time to react. Arctic Wolf has recommended disabling the SonicWall SSL VPN service immediately until an official patch is developed and deployed.

In Q3 2025, SonicWall faced a prolonged ransomware campaign by the Akira group, exploiting weak access controls in its SSLVPN services. Attackers leveraged credential stuffing to bypass authentication, targeting devices with absent MFA and insufficient lockout policies. The breach enabled unauthorized access to corporate networks, potentially exposing sensitive data and operational integrity. While the report does not confirm data exfiltration, the exploitation of SonicWall’s security appliances—critical for VPN access—poses severe risks, including lateral movement into customer environments, financial fraud, or operational disruptions. The incident underscores systemic vulnerabilities in access management, with attackers commoditizing stolen credentials via infostealers like Rhadamanthys. Though no direct customer data leak was confirmed, the compromise of VPN infrastructure threatens financial reputation, regulatory compliance, and trust in SonicWall’s security products. Mitigation required emergency patches, MFA enforcement, and forensic investigations to assess potential downstream impacts.

Marquis Software Solutions Sues SonicWall Over 2025 Cloud Vulnerability Linked to Ransomware Attack Marquis Software Solutions has filed a lawsuit against SonicWall, alleging that a February 2025 cloud vulnerability enabled a ransomware attack in August 2025, exposing sensitive data from hundreds of financial institutions, including credit unions. The breach, which triggered widespread notifications across the credit-union system, has had significant fallout for affected organizations. According to the complaint, the attacker exploited exposed credentials and firewall configuration data from SonicWall’s cloud incident, bypassing multifactor authentication (MFA) protections. Marquis claims SonicWall introduced an exploitable flaw through an API code change, allowing unauthorized downloads of firewall configuration backups. The company alleges that predictable device serial numbers and unencrypted MFA "scratch codes" in the backups enabled threat actors to compromise systems. SonicWall has denied the allegations, stating it has not found technical evidence linking its cloud incident to the ransomware attack and plans to contest the claims. Meanwhile, Marquis, which serves over 700 banks and credit unions including Artisans’ Bank and VeraBank reported that the breach led to customer notifications, legal expenses, forensic costs, and class-action litigation. The company is seeking damages, arguing SonicWall failed to adequately protect customer firewall data.

Ransomware Evolves into Stealthier, More Destructive Threat in 2026 In 2026, ransomware attacks have shifted from opportunistic strikes to highly calculated, multi-stage operations, adapting to global anti-ransomware efforts. A new Kaspersky report reveals that while overall attack volumes declined in 2025, the sophistication of these threats has surged with manufacturing alone facing an estimated $18 billion in potential losses. Attackers are now exploiting trusted system components to evade detection before deploying their payloads. A key tactic is the "Bring Your Own Vulnerable Driver" (BYOVD) technique, where cybercriminals use legitimate, signed drivers to disable security tools including EDR killers that terminate monitoring agents. This method turns evasion into a repeatable phase of the attack lifecycle, systematically eroding defensive visibility. Ransomware developers are also future-proofing their malware with post-quantum cryptography, such as the PE32 family’s use of ML-KEM (Kyber1024), which offers encryption strength comparable to AES-256. This ensures victims have virtually no chance of recovering files without paying. With global ransom payments dropping to just 28% in 2025, threat actors are pivoting to encryptionless extortion. Instead of locking files, they steal sensitive data and threaten public disclosure, turning ransomware into a data security and compliance crisis one that backups alone cannot mitigate. The criminal ecosystem has also seen a shift. Following the disappearance of RansomHub in 2025, Qilin has emerged as the dominant ransomware-as-a-service (RaaS) platform, while new groups like "The Gentlemen" operate with structured, business-like efficiency. Other emerging actors Devman, MintEye, and DireWolf demonstrate how low the barrier to entry remains, often targeting enterprise hardware from Fortinet, SonicWall, and Cisco. As ransomware evolves, organizations face an increasingly hostile landscape where even their own security tools are under siege.

Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats Reshape Cybercrime Landscape Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, marked by professionalized ransomware operations, the exploitation of AI, and deepening ties between cybercriminals and hybrid threat actors. The report, covering trends from 2025, highlights a shift in extortion tactics, the rise of ransomware-as-a-service (RaaS), and the growing intersection of cybercrime with broader criminal networks. ### Ransomware Dominates, Tactics Evolve Ransomware remains the EU’s most pervasive cyber threat, with over 120 active brands observed in 2025. Attackers are moving away from traditional data encryption, instead favoring pure data theft and extortion, leveraging psychological pressure tactics such as DDoS attacks, corporate email spamming, and cold-calling victims. The report notes that enterprises are often less prepared for data leaks than encryption, making this shift particularly effective. The RaaS model has lowered the barrier to entry, enabling even low-skilled actors to launch attacks using bundled toolkits. These platforms now offer integrated services, including botnets for payload delivery, data exfiltration infrastructure, machine learning support, and ransom negotiation tools. Operators take a cut of each payment, incentivizing the development of streamlined, all-in-one offerings. Key ransomware groups in 2025 include: - Qilin: A dominant player with ties to the defunct Conti group, offering high affiliate payouts (up to 85%) and automated exploitation of Fortinet SSL VPN vulnerabilities. - Akira: Linked to Conti, expanding attacks to virtualized environments via SonicWall VPN flaws. - DragonForce: A modular, service-driven group using leaked Conti and LockBit code, specializing in tailored extortion for high-value targets. - LockBit: Struggled to recover after its 2024 takedown but released a cross-platform variant with enhanced anti-forensics. - Cl0p & Play: Closed groups operating with strict internal security, targeting critical infrastructure and deploying double extortion. A new alliance between DragonForce, LockBit, and Qilin emerged in late 2025, signaling deeper collaboration in the ransomware ecosystem. Meanwhile, semi-closed and closed groups such as Fog and BlackBasta are adopting tighter control, recruiting only trusted affiliates and developing proprietary tools to evade detection. ### Hybrid Threats and Cybercrime-as-a-Service The IOCTA 2026 report warns of blurring lines between cybercriminals and hybrid threat actors, with state-linked groups increasingly using criminal networks as proxies for disruptive operations. In the cybercrime-as-a-service (CaaS) economy, hybrid actors are simply another customer, complicating attribution and enforcement. A notable development is the Scattered LAPSUS$ Hunters (SLSH) alliance, formed in August 2025 by Scattered Spider, ShinyHunters, and LAPSUS$. These English-speaking groups specialize in SIM swapping, social engineering, insider recruitment, and large-scale data theft, targeting corporations, healthcare, and transport sectors. Their tactics include persistent harassment post-payment, and some members have ties to The Com network, a criminal ecosystem linked to extremism and child exploitation. ### AI, Infostealers, and DDoS as Enablers Cybercriminals are rapidly adopting AI tools to automate attacks, enhance social engineering, and blur the line between legitimate and malicious technology. Infostealers remain a critical enabler, fueling a broad illicit market that supplies ransomware affiliates, fraudsters, and initial access brokers (IABs). DDoS attacks persist as a low-effort, high-impact tool, often used for extortion or ideological disruption. While mitigation measures have improved, the minimal resources required make DDoS a sustainable strategy for destabilization, with targets including governments and critical infrastructure. ### Law Enforcement Challenges and Future Outlook Europol’s Executive Director, Catherine De Bolle, emphasized the urgent need for proactive, collaborative efforts to counter cybercrime’s accelerating pace. The report calls for: - Investment in AI capabilities for law enforcement. - Stronger cross-border cooperation and data retention policies. - Closer private-sector collaboration to access critical data held by online service providers. The IOCTA 2026 report concludes that the cybercrime landscape will continue evolving at speed, driven by advanced tools and complex criminal networks. Law enforcement’s ability to close the "velocity gap" matching the pace of cybercriminal innovation will determine its effectiveness in the coming years.

SonicWall has experienced a cyber attack due to a remote code execution vulnerability affecting its Secure Mobile Access (SMA) appliances. These flaws impacted various SMA models and were exploited despite being patched four years ago. The flaw allowed remote threat actors to inject arbitrary commands and execute arbitrary code. This has been under active exploitation since at least January 2025 as confirmed by cybersecurity company Arctic Wolf and federal agencies. As a response to the attack, SonicWall has updated the security advisory and revised the CVSS score based on the newfound impacts.

Ransomware Landscape Shifts in 2025 as Cybercriminals Pivot to Data Extortion Google Threat Intelligence’s 2025 ransomware report reveals a major transformation in cybercriminal tactics, driven by declining profits from traditional encryption-based attacks. With organizations improving their defenses nearly half of victims restored systems from backups in 2024 ransom payment rates hit a historic low by 2025. The average ransom demand also dropped by a third, falling from $2 million in 2024 to $1.34 million. The ransomware ecosystem has faced significant disruptions, including law enforcement crackdowns and internal conflicts that dismantled prominent groups like LockBit, ALPHV, Basta, and RansomHub. These upheavals forced cybercriminals to adopt stricter vetting processes for affiliates. Despite these challenges, the threat landscape remains active, with groups like Qilin and Akira filling the void. Data-leak site posts surged by nearly 50% in 2025, with the REDBIKE ransomware family accounting for 30% of analyzed incidents. Attackers continue to exploit vulnerabilities in firewalls and VPNs, particularly in products from Fortinet, SonicWall, and Palo Alto, which were used in a third of 2025 intrusions. Virtualization infrastructure, such as ESXi hypervisors, has become a prime target, involved in 43% of attacks up from 29% the previous year. Cybercriminals are also adopting cross-platform ransomware and leveraging AI for victim analysis, while decentralized Web3 networks help shield their operations. As profits shrink, the report warns of a potential rise in aggressive extortion tactics in 2026.

Ransomware and Financial Fraud Surge in 2025, Driven by Remote Access Vulnerabilities The 2026 InsurSec Report from At-Bay, analyzing over 100,000 policy years of claims data, reveals a sharp rise in cyber incidents in 2025, with ransomware and financial fraud leading the surge. Overall claim frequency increased by 7% year-over-year, while average severity hit a record $221,000. Ransomware severity reached $508,000 up 16% from 2024 making it the costliest incident type. Remote Access Exploits Dominate Ransomware Attacks Remote access services were the primary entry point for 87% of ransomware claims, up from 80% in 2024. VPN compromises accounted for 73% of intrusions where the vector was identified, a steep rise from 38% in 2023. SonicWall devices were involved in one-third of ransomware claims. Improved email security has shifted attacker focus away from phishing, with no ransomware claims originating from email in 2025. The Akira ransomware group saw a 364% spike in activity in late 2025, executing attacks within hours or minutes of initial access. Akira’s average ransom demand reached $1.2 million 50% higher than non-Akira demands with payments averaging $452,000. Organizations with 24/7 managed detection and response (MDR) monitoring avoided encryption in every Akira case, while two-thirds of attacks occurred outside business hours, exploiting gaps in coverage. Smaller Businesses Face Growing Threats Companies under $25 million in revenue experienced the steepest increases, with ransomware frequency rising 21% and severity climbing 40% to $422,000. Manufacturing saw ransomware frequency at 2.2 times the portfolio average, while technology firms faced the highest severity ($875,000), followed by finance ($731,000) and healthcare ($675,000). Financial Fraud Losses Escalate Financial fraud remained the most common incident type, comprising 30% of claims for the third consecutive year. Email was the initial vector in 82% of cases, with average stolen funds rising 16% to $285,000. The largest single loss recorded was $9.65 million. Attackers increasingly routed malicious links through trusted cloud platforms like Cloudflare, which appeared in 69% of abused infrastructure alerts. Rapid reporting improved recovery outcomes funds were returned in 70% of cases reported within three days, dropping to 30% after two weeks. At-Bay recovered $56 million in stolen funds in 2025. Third-Party Liability Claims Surge Third-party liability claims rose 70%, the largest increase among tracked incident types. Lawsuits under the California Invasion of Privacy Act (CIPA) accounted for 34% of claims, up from 7% in 2023, expanding beyond Meta Pixel to include tracking tools from LinkedIn and TikTok. Class action lawsuits followed 6% of ransomware incidents and 4% of data breaches, adding defense costs and settlements to initial attack damages. Business interruption coverage was triggered in one-third of ransomware claims, with average severity reaching $510,000 nearly triple that of claims without it. The largest single business interruption payout hit $5 million.

The Akira ransomware gang exploited a critical CVE-2024-40766 (CVSS 9.8) vulnerability in SonicWall’s SSLVPN appliances, a flaw originally disclosed in August 2024 but left unpatched by many organizations. Over 438,000 SonicWall devices remained publicly exposed, enabling attackers to gain unauthorized access via misconfigurations, legacy credentials, and improper LDAP group settings. Akira and other ransomware groups (e.g., Fog) used this to encrypt systems within 10 hours of initial access, leading to widespread disruptions. Rapid7 reported double-digit incidents among its customers, while SonicWall confirmed fewer than 40 cases in early August 2025—though the actual impact is likely higher due to underreporting. The attacks leveraged default Virtual Office portal configurations, allowing MFA bypasses if credentials were previously exposed. Organizations failing to apply patches, enforce MFA, or restrict portal access faced full-system encryption, operational outages, and potential data exfiltration, threatening business continuity. The persistent exploitation highlights systemic negligence in mitigating known vulnerabilities, amplifying the risk of financial losses, reputational damage, and regulatory penalties for affected entities.

The SonicWall Cyber Threat Report highlights the escalating costs and frequencies of cyberattacks on organizations, underlining a worrying trend that affects businesses globally. In the last year, organizations with a relatively modest size of 100-5,000 users have not been spared, with more than half experiencing one or several cyber incidents. These unwelcome events have been financially damaging, with the average cost soaring to $5.34 million. Such a figure represents not just a direct financial burden but also unleashes a series of indirect consequences, including but not limited to, tarnished reputations, operational disruptions, and potential regulatory penalties. These findings, drawn from an exhaustive collection of real-world data and threat intelligence, underscore the critical need for heightened cybersecurity vigilance. A proactive and comprehensive approach to cybersecurity, backed by real-time threat intelligence and robust defense mechanisms, is imperative for organizations seeking to navigate the digital landscape securely and mitigate the risks posed by an ever-evolving threat landscape.

Over the past year, organizations ranging from small to medium businesses with 100-5,000 users have faced a significant cyber threat landscape, with 57% experiencing at least one cyberattack. These incidents have resulted in substantial financial losses, averaging $5.34 million per attack. This figure underscores the grave financial implications cyber threats pose, compelling businesses to reassess their cybersecurity measures. SonicWall, renowned for its real-time cyber threat intelligence, has been at the forefront of these observations. Their 2024 Cyber Threat Report compiles extensive data from 1.1 million security sensors across 215 countries, offering invaluable insights into the nature and frequency of these threats. By analyzing cross-vector threat-related information and leveraging shared intelligence within the cybersecurity community, SonicWall plays a pivotal role in enabling organizations worldwide to bolster their defenses against an evolving cyber threat landscape.

A sophisticated cyberattack campaign targeted SonicWall SSL VPN devices, compromising over 100 accounts since early October 2023. Threat actors exploited valid, exposed credentials (rather than brute-force methods) to infiltrate systems, originating from a single IP (202.155.8.73), suggesting a centralized command structure. The breach escalated after SonicWall disclosed that unauthorized parties accessed encrypted firewall configuration backups—containing sensitive credentials—via its MySonicWall cloud service. While SonicWall initially claimed the breach affected under 5% of installations, the timing and precision of the attacks imply a direct link. Attackers conducted reconnaissance, scanned networks, and attempted to access local Windows accounts, posing risks of catastrophic data loss. SonicWall urged immediate mitigation: resetting all credentials (admin, VPN, LDAP, API), disabling remote services, enabling MFA, and enforcing strict access controls. The campaign’s scale and methodical execution highlight severe vulnerabilities in critical network infrastructure, with potential for widespread exploitation if unchecked.

SonicWall confirmed that all customers using its MySonicWall cloud backup service were impacted by a cybersecurity breach initially disclosed in September 2023. The attackers accessed firewall configuration backup files, which include critical network settings, policies, user/group/domain details, DNS/log configurations, and certificates. While SonicWall claims no evidence of compromise to production firewalls or other systems, the exposed data could enable threat actors—including nation-state groups or ransomware operators—to map internal infrastructure, pivot into connected environments, or launch follow-on attacks. Initially, SonicWall downplayed the incident, stating only <5% of customers were affected, but an independent forensic review revealed 100% of cloud backup users were exposed. Customers were advised to delete cloud backups, rotate credentials, and recreate backups locally. The company has not disclosed the attack vector, attributed the breach to a specific threat actor, or confirmed whether data was exfiltrated, leaked, or destroyed. This incident follows prior SonicWall breaches, including a zero-day VPN exploit linked to ransomware attacks earlier in 2023, further eroding customer trust in its security posture.

Over the past year, organizations ranging from 100 to 5,000 users have faced an increasing wave of cyberattacks. The 2024 SonicWall Cyber Threat Report highlights a concerning trend where 57% of these organizations endured at least one cyberattack, with an average financial toll of $5.34 million. This significant economic impact underscores the evolving and sophisticated nature of cyber threats. The report draws its conclusions from a robust dataset, courtesy of the SonicWall Capture Labs. This network, comprising over 1.1 million security sensors spread across 215 countries and territories, offers a unique vantage point into the tactics and vectors preferred by cyber adversaries. By analyzing cross-vector threat information and leveraging global malware and IP reputation data, SonicWall provides invaluable insights into cyber incidents. This comprehensive intelligence is not only a testament to the severity of the cybersecurity landscape but also serves as a critical resource for organizations aiming to navigate and mitigate the risks of cyberattacks.

Akira Ransomware Group Accelerates Attacks, Completing Full Compromise in Under an Hour Security researchers at Halcyon have identified a significant escalation in ransomware attack speed, with the Akira group now executing full attack lifecycles from initial access to data encryption in as little as one hour. The group, suspected to include former Conti hackers, has emerged as one of the most sophisticated ransomware operations since its debut in March 2023. Akira primarily gains entry by exploiting vulnerabilities in internet-facing VPN appliances and backup solutions, particularly those without multi-factor authentication (MFA). Targeted vendors have included SonicWall, Veeam, and Cisco, though the group also employs credential theft, spearphishing, password spraying, and initial access brokers (IABs) to breach networks. Once inside, Akira follows a double-extortion model, exfiltrating data before encrypting files. To evade detection, the group disables security software and leverages living-off-the-land tools like FileZilla, WinRAR, WinSCP, and RClone for data staging and encryption. Notably, Akira uses intermittent encryption scrambling as little as 1% of a file to maximize impact while minimizing detection time. Halcyon’s report highlights Akira’s disciplined operational tempo, with attacks typically completed in under four hours and some in less than 60 minutes. The group’s stealthy approach, reliance on zero-day exploits, and use of compromised credentials allow it to maintain covert access while rapidly encrypting systems. Since its emergence, Akira has reportedly generated $244 million in ransom payments, according to U.S. government estimates.

SonicWall confirmed a severe breach where hackers accessed firewall configuration backup files for all customers using its cloud backup service (MySonicWall portal). Initially downplayed as affecting only 5% of users, an internal investigation (assisted by Mandiant) revealed a full compromise of encrypted backups—including firewall rules, VPN configurations, and access controls—via brute-force attacks. While SonicWall claims the exfiltrated data is encrypted, experts warn it could be decrypted or leveraged for targeted exploits, phishing, or network mapping. The breach forces thousands of enterprises to reset credentials, regenerate encryption keys, and conduct forensic audits, disrupting operations. The incident exacerbates SonicWall’s reputation after repeated vulnerabilities since 2021 (e.g., zero-days in Secure Mobile Access) and raises compliance concerns under GDPR/NIST. Though no immediate exploitation is reported, the stolen data poses long-term risks, including supply-chain attacks akin to SolarWinds. Customers are advised to update firmware, monitor anomalies, and adopt zero-trust architectures to mitigate fallout.