<img src="https://secure.24-astute.com/796515.png" style="display:none;">

Q3 in Review: Ransomware Trends from a Frontline Incident Response Team

Oct 6, 2025

The ransomware and threat actor ecosystem remained highly active in the past quarter. Abacus’ incident response team responded to several high-profile incidents, gaining valuable insights to apply to our hardening and resilience recommendations. With large shifts seen even over the past three months, it is key that business leaders and technical experts alike have a clear picture of what’s changing and what they need to do to keep their business protected, regardless of industry. 

Ransomware Continues Across Industries, But the Players Shifted 

The quarter began with a high volume of incidents being attributed to the threat actor group Scattered Spider. This threat actor has several key differentiators, including:  

  • Not associated with a nation state and predominantly financially motivated
  • Most members are native English speakers and underage minors or young adults
  • Employ a targeted approach of overwhelming different industries, like retail or insurance, and wreaking havoc before moving on to another vertical
  • Deploy sophisticated social engineering techniques to target their victims and gain initial access
  • Known to call help desk and attempt to have passwords or MFA reset to gain initial access  

Scattered Spider typically hits companies with high-value data such as PII, complex IT infrastructure, and/or outsourced or vulnerable help desk operations, all of which are applicable to highly-regulated industries such as financial services and healthcare. 

Later in the quarter, Scattered Spider activity decreased significantly, and our team saw a different threat actor rise, Akira. Akira launched a series of attacks that leveraged a critical vulnerability (CVE-2024-40766 ) within SonicWall VPN. Originally thought to be a Zero-Day, it was determined that Akira obtained access via the below process and a known vulnerability: 

  1. Obtained access through malicious SSL VPN logins and successful one-time password MFA challenges
  2. Harvest credentials and escalate privileges to gain access to admin tools and allow for quiet, lateral movement across network
  3. Rapid port scanning, Impacket Server Messages Block activity
  4. Exfiltrate sensitive data to be used for double extortion  
  5. Rapid deployment of highly disruptive encryption  
Threat Actor  Point of Entry  Initial Access Method  Notable Tactics 
Scattered Spider  People & Processes 
  1. Help desk social engineering 
  2. Target password/MFA resets 
  1. Target Service Providers 
  2. Native English speakers 
Akira Infrastructure
  1. Exploit SonicWall  
  2. Utilize stolen credentials 
  1. Classic RaaS 
  2. Double extortion 

Unlike Scattered Spider, Akira casts a wide net with their targets, focusing on sheer volume rather than specifically targeting larger organizations or specific verticals. This tactic resulted in our incident response team seeing a large uptick in the number of incidents for small to midsized businesses at the end of Q3, compared to enterprises being targeted at the beginning of the quarter by Scattered Spider. 

The takeaway from the changes in activity within one quarter is that the ransomware threat landscape is constantly shifting. When one threat actor fades, another emerges to take its place, employing new and creative tactics that organizations must arm themselves against.  

How Companies Can Protect Against Ransomware 

If you’re running SonicWall VPNs, our number one recommendation is simple: disable SSLVPN immediately until patched and hardened. 

Beyond that, here are critical steps every company should consider: 

Quick Wins

  • Patch aggressively and don’t delay updates
  • Audit and close unused remote access points
  • Monitor VPNs and identity systems for compromise 

Long-Term Ransomware Protection

  • Implement phishing-resistant MFA across accounts
  • Invest in a Managed Detection & Response (MDR) service that can stop attacks in real time
  • Provide security awareness training to employees, especially those that may work on a help desk
  • Strengthen email filtering to cut phishing attempts
  • Harden password reset and MFA enrollment processes to prevent social engineering bypasses 

Looking Ahead

Our incident response team expects ransomware groups to continue focusing on widely deployed technologies, exploiting vulnerabilities in VPNs, hypervisors, and remote access tools. At the same time, phishing and credential theft will remain go-to methods for breaking in.  

As we move into Q4, our team anticipates an uptick in incidents as the holiday season is consistently a peak period for cyber threats. The FBI warns the public about an increase in ransomware attacks during the holidays each year as Black Friday deals begin hitting inboxes. As the year comes to a close, employees are more likely to be working remotely and using public WiFi, clicking links in emails for holiday deals, or rushing through tasks on their way to vacation, possibly missing phishing attempts. Additionally, every team, down to the IT department, has members on PTO and is working with a reduced staff and diminished capacity.  

People tend to be online more often around the holiday season, often using their work device for last minute shopping. This increased online activity provides cybercriminals more opportunities to exploit systems and network vulnerabilities. 

If you want to reduce your ransomware risk, connect with our team to proactively harden your business against cyber threats. 

stock-market-candlestick-graph-map-stock-image

Learn more about how your firm can benefit from our comprehensive IT and cybersecurity services.

Contact Us