U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

Crisis24’s OnSolve CodeRED emergency alert system has been disrupted by a cyberattack, leaving local governments throughout the U.S. searching for alternatives or waiting for a new system to come online. The INC ransomware group has claimed responsibility for the attack. Some personal data of users may have been exposed in the attack, including names, addresses, email addresses, phone numbers, and passwords, and users have been urged to change passwords for other accounts if the same password is used. Crisis24 is launching a new secure CodeRED System that was already in development, and local governments had varying reactions to the crisis.

New CodeRED Emergency Alert System Expected Soon

Several U.S. local governments issued statements after the attack, updating residents on the CodeRED system’s status and their plans. The City of University Park, Texas, said Crisis24 is launching a new CodeRED System, which was already in the works. “Our provider assures us that the new CodeRED platform resides on a non-compromised, separate environment and that they completed a comprehensive security audit and engaged external experts for additional penetration testing and hardening,” the city said in its statement. “The provider decommissioned the OnSolve CodeRED platform and is the process of moving all customers to its new CodeRED platform.” Craven County Emergency Services in North Carolina said the new CodeRED platform “will be available before November 28.” In the meantime, Craven County said announcements and alerts will continue to be released through local media, the Craven County website, or on Craven County’s social media accounts. The Douglas County Sheriff's Office in Colorado said on Nov. 24 that it took “immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED.” The Sheriff’s Office said it “is actively searching for a replacement for the CodeRED platform.” The office said it still has the ability to issue “IPAWS” alerts to citizens when necessary, and “will continue to implement various contingency plans, including outreach through social media and door-to-door notifications, to ensure our community stays informed during emergency situations.”

INC Ransom Claims Responsibility for CodeRED Attack

The INC Ransom group claimed responsibility for the CodeRED emergency alert system attack on its dark web data leak site. The threat actors say they obtained initial access on Nov. 1, followed by network encryption on Nov. 10. The group claims to have exfiltrated approximately 1.15 TB before deploying encryption. To substantiate their claims, INC Ransom has published several data samples, including csv files with client-related data, threat intelligence company Cyble reported in a note to clients. Additionally, the group released two screenshots allegedly showing negotiation attempts, where the company purportedly offered as much as USD $150,000, an amount the attackers claim they refused.

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”

The Akira ransomware group poses an “imminent threat to critical infrastructure,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. CISA joined with the FBI, other U.S. agencies and international counterparts to issue a lengthy updated advisory on the ransomware group, adding many new Akira tactics, techniques and procedures (TTPs), indicators of compromise (IoCs), and vulnerabilities exploited by the group. Akira is consistently one of the most active ransomware groups, so the update from CISA and other agencies is significant. As of late September, Akira has netted about $244.17 million in ransom payments, CISA said. The Akira ransomware group information was sourced from “FBI investigations and trusted third-party reporting,” the agency said. In a busy two days for the agency, CISA also added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability, CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability, and CVE-2025-62215, a Microsoft Windows Race Condition vulnerability), and reissued orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362.

Akira Ransomware Group Targets Vulnerabilities for Initial Access

The CISA Akira advisory notes that in a June 2025 incident, Akira encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine (VM) disk files for the first time, expanding the ransomware group’s abilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766, a SonicWall vulnerability. The updated advisory adds six new vulnerabilities exploited by Akira threat actors for initial access, including:

• CVE-2020-3580, a cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
• CVE-2023-28252, a Windows Common Log File System Driver Elevation of Privilege vulnerability
• CVE-2024-37085, a VMware ESXi authentication bypass vulnerability
• CVE-2023-27532, a Veeam Missing Authentication for Critical Function vulnerability
• CVE-2024-40711, a Veeam Deserialization of Untrusted Data vulnerability
• CVE-2024-40766, a SonicWall Improper Access Control vulnerability

“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the CISA advisory said. In some cases, they gain initial access with compromised VPN credentials, possibly by using initial access brokers or brute-forcing VPN endpoints. The group also uses password spraying techniques and tools such as SharpDomainSpray to gain access to account credentials. Akira threat actors have also gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. “After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers,” the advisory said.

Akira’s Latest Discovery, Persistence and Evasion Tactics

Visual Basic (VB) scripts are frequently used by the group to execute malicious commands, and nltest /dclist: and nltest /DOMAIN_TRUSTS are used for network and domain discovery. Akira threat actors abuse remote access tools such as AnyDesk and LogMeIn for persistence and to “blend in with administrator activity,” and Impacket is used to execute the remote command wmiexec.py and obtain an interactive shell. Akira threat actors also uninstall endpoint detection and response (EDR) systems to evade detection. In one incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by powering down the domain controller’s VM and copying the VMDK files to a newly created VM, CISA said. “This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory said. Veeam.Backup.MountService.exe has also been used for privilege escalation (CVE-2024-40711), and AnyDesk, LogMeIn, RDP, SSH and MobaXterm have been used for lateral movement. Akira actors have used tunneling utilities such as Ngrok for command and control (C2) communications, initiating encrypted sessions that bypass perimeter monitoring. PowerShell and Windows Management Instrumentation Command-line (WMIC) have also been used to disable services and execute malicious scripts. Akira threat actors have been able to exfiltrate data in just over two hours from initial access, CISA said. The new Akira_v2 variant appends encrypted files with an .akira or .powerranges extension, or with .akiranew or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). CISA recommended a number of security best practices for combatting the Akira ransomware threat, including prioritizing remediating known exploited vulnerabilities, enforcing phishing-resistant multifactor authentication (MFA), and maintaining regular, tested offline backups of critical data.

Ransomware attacks soared 30% in October to the second-highest total on record, Cyble reported today. The 623 ransomware attacks recorded in October were second only to February 2025’s record attacks, when a CL0P MFT campaign drove the total number of ransomware attacks to 854. October was the sixth consecutive monthly increase in ransomware attacks, Cyble noted in a blog post. Qilin once again was the most active ransomware group, for the sixth time in the seven months since the decline of RansomHub. Qilin’s 210 claimed victims were three times greater than second-place Akira (chart below). Just behind Akira was Sinobi with 69 victims, a remarkable rise for a group that first emerged in July. [caption id="attachment_106750" align="aligncenter" width="624"] Top ransomware groups October 2025 (Cyble)[/caption] Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most targeted sectors (chart below). [caption id="attachment_106751" align="aligncenter" width="624"] Ransomware attacks by industry October 2025 (Cyble)[/caption] Cyble noted that 31 incidents in October may have affected critical infrastructure, and another 26 incidents had possible supply chain implications. The U.S. once again was the most attacked country, its 361 attacks 10 times greater than second-place Canada (chart below). [caption id="attachment_106753" align="aligncenter" width="624"] Ransomware attacks by country October 2025 (Cyble)[/caption] “Of concern is the emergence of Australia as a top five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors,” Cyble noted. Ransomware attacks are up 50% so far this year, with 5,194 ransomware attacks through October 31, Cyble said, “as new leaders like Qilin, Sinobi and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub.”

Vulnerabilities Exploited by Ransomware Groups

Critical IT vulnerabilities and unpatched internet-facing assets have fueled a rise in both ransomware and supply chain attacks this year, Cyble said. Vulnerabilities targeted in October included:

• CVE-2025-61882 in Oracle E-Business Suite – targeted by Cl0p
• CVE-2025-10035 in GoAnywhere MFT – exploited by Medusa
• CVE-2021-43226 a Microsoft Windows Privilege Escalation vulnerability – Exploited by unknown ransomware groups, according to a CISA advisory
• CVE-2025-6264 in Velociraptor – targeted by Warlock ransomware operators
• CVE‑2024‑1086 in the Linux kernel’s netfilter :nf_tables module – Exploited by unknown ransomware groups, according to a CISA advisory

Ransomware Attacks and Key Developments

Below were some of the most important ransomware developments in October, according to Cyble. Ransomware operators are “increasingly hijacking or silently installing legitimate remote access tools” such as AnyDesk, RustDesk, Splashtop, and TightVNC after credential compromise to gain persistent access, control, antivirus neutralization and ransomware delivery. Recent BlackSuit campaigns used Vishing to steal VPN credentials for initial access and DCSync on a domain controller for high-privilege access, and used AnyDesk and a custom RAT for persistence. “Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption,” Cyble said. Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing remote-management tools like WinSCP, Splashtop, AnyDesk, and ScreenConnect, and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks, among other tools and tactics. Trigona ransomware operators brute-forced exposed MS-SQL servers and embedded malware inside database tables and exporting it to disk to install payloads. DragonForce posted on the RAMP cybercrime forum that it is opening its partner program to the public, offering services like professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee. Affiliates were warned to follow the group’s rules “or face account blocking or free decryptor distribution.” Zeta88 — the alleged operator of The Gentlemen ransomware — announced updates to their Windows, Linux and ESXi lockers, including a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks and domains. The release also introduced multiple encryption-speed modes, Windows operating modes, and a universal decryptor. The full Cyble blog also included recommended best practices and recent high-confidence Qilin indicators of compromise (IoCs).

Learn how Nevada refused to pay ransom after a 2025 cyberattack, restoring systems in 28 days—and what this reveals about ransomware readiness and policy.

The post Doubling Down in Vegas: The High-Stakes Question of Whether to Pay appeared first on Security Boulevard.

The Qilin ransomware group has been by far the most active ransomware group over the last seven months, so two new research reports detailing some of the group’s tactics, techniques and procedures (TTPs) are worth noting. Trend Micro researchers examined a Qilin attack – the group is identified as “Agenda” by Trend – that deployed the group’s Linux ransomware variant on Windows systems, while Cisco Talos also looked at the group’s methods, including defensive evasion techniques. Cyble threat intelligence researchers have documented 677 ransomware attacks by Qilin since the group emerged as the top ransomware group following the decline of RansomHub in what may have been an act of sabotage. Those 677 attacks are more than double those of second-place Akira (chart below). [caption id="attachment_106327" align="aligncenter" width="1200"] Top ransomware groups April-October 2025 (Cyble)[/caption]

Qilin Ransomware Group Deploys Linux Ransomware on Windows

The Qilin ransomware attack documented by Trend Research combined WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines, in addition to using Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances to obfuscate command-and-control (C&C) traffic Qilin installed legitimate tools like AnyDesk through Atera’s remote monitoring and management (RMM) platform and ScreenConnect for command execution. The attackers also targeted Veeam backup infrastructure using custom credential extraction tools, “systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload,” the researchers said. “This attack challenges traditional Windows-focused security controls,” the researchers wrote. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.” Initial access appears to have come from a social engineering campaign involving fake CAPTCHA pages, because investigators “identified that multiple endpoints within the compromised environment had connected to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts.” Those pages apparently delivered infostealers to the endpoints, harvesting authentication tokens, browser cookies, and stored credentials. “The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the ... threat actors with the valid accounts necessary for their initial access into the environment,” the researchers said. “This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.” The attackers used a SOCKS proxy DLL for remote access and command execution, loaded directly into memory using the legitimate Windows rundll32.exe process. The legitimate administrator account password was also reset to prevent admins from regaining access. ScreenConnect was used to execute discovery commands via temporary command scripts, “systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity.” Network scanning tools like NetScan were also used to discover additional systems, services, and potential lateral movement targets, while PuTTY SSH clients were used to facilitate lateral movement to Linux systems within the environment.

Qilin Targeting Veeam Backups to Harvest Credentials

The Qilin attackers targeted Veeam backup infrastructure to harvest credentials, “recognizing that backup systems often store credentials for accessing multiple systems across the enterprise,” the Trend researchers said. PowerShell scripts with base64-encoded payloads were used to extract and decrypt stored credentials from Veeam databases. “When decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing credentials for different segments of the infrastructure,” the researchers said. “This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.”

Qilin Defense Evasion Tactics

The attackers deployed “sophisticated anti-analysis tools to evade security solutions,” Trend said, with 2stX.exe and Or2.exe using the eskle.sys driver for anti-antivirus capabilities through a BYOVD attack. The eskle.sys driver was used to disable security solutions, terminate processes, and evade detection, they said. Cisco Talos researchers documented Qilin defense evasion techniques that included  using obfuscated PowerShell code that employed numeric encoding. Executing the PowerShell commands makes three configuration changes, the Talos researchers said. Disabling Windows Antimalware Scan Interface (AMSI) prevents interference with execution of payloads, and disabling TLS certificate validation allows the attackers to contact malicious domains or C2 servers. The third configuration change enables Restricted Admin to force RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. “Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user,” Talos said. The Talos researchers observed “traces of attempts to disable EDR using multiple methods,” such as commands that launch the EDR’s uninstall.exe file or attempts to stop services using the sc command. Use of open source tools like dark-kill and HRSword was also observed. “The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging,” the Trend researchers said. “Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.”