Daily Ransomware Report – 12/23/2025

Estimated Reading Time: 2 minutes

Key Takeaways

  • Diverse Ransomware Landscape: Twelve distinct ransomware groups posted new victims in a 24-hour period, indicating a fragmented but active threat environment.
  • Healthcare and Education Targeting: These sectors continue to be primary targets, accounting for a significant portion of reported victims (7 out of 20).
  • Critical Infrastructure Pressure: Incidents against a telecommunications entity in Malaysia by WALocker and an agriculture firm in Peru by BlackShrantac highlight ongoing targeting of essential services.
  • Exploitation of Network Devices: Numerous vulnerabilities in firewalls, VPN gateways, and enterprise applications (e.g., Fortinet, Cisco, Oracle E-Business Suite) remain actively exploited by various threat actors.
  • Multi-vector Initial Access: Campaigns frequently combine vulnerability exploitation with advanced social engineering, phishing, and compromised external accounts to achieve initial compromise and persistence.

Table of Contents

Statistical Overview

Victim Totals

  • This day (24h): 20
  • This month: 608
  • This quarter: 2107
  • Year-to-date: 7525

Quarterly Breakdown

  • Q1: 2294
  • Q2: 1511
  • Q3: 1637
  • Q4: 2107

Ransomware activity remains elevated in Q4, with 2107 reported victims this quarter, demonstrating consistent pressure across various sectors. The year-to-date total of 7525 victims indicates persistent threat actor operations throughout 2025.

Introduction

The past 24 hours saw 20 new ransomware victims posted to leak sites. Lynx was the most active group, accounting for 5 victims, followed by Sinobi with 4, and Qilin with 2. Healthcare and Education were the most impacted sectors, while the United States and Malaysia experienced the highest volume of reported incidents.

Ransomware Summary Table

# Group Victims (24h) Sample Victims Top Geos Top Sectors
1 Lynx 5 ccedarvalleyservices.org, https://www.ckm-montagen.de/en/, https://www.omnibusjp.com United States, Germany Professional Services, Government / Public Sector
2 Sinobi 4 Center for Life Resources ECI, Geometrics, Hanlon Electric United States Healthcare, Manufacturing
3 Qilin 2 Loginport, Universiti sains islam malaysia Argentina, Malaysia Transportation & Logistics, Education
4 3AM 1 Mbgsd.org United States Education
5 Anubis 1 Laidley family doctors Australia Healthcare
6 BlackShrantac 1 Agrícola cerro prieto Peru Agriculture & Food
7 Crypto24 1 Unified assessment platform examroom.ai United States Education
8 Devman 1 Clínica dávila Chile Healthcare
9 Medusa 1 Jbs United States Healthcare
10 Nova (RALord) 1 Sense eletronica Brazil Automotive
11 1 Pernec corporation bhd Malaysia Telecommunications
12 1

The current 24-hour period highlights the continued diversification of ransomware targeting across 12 distinct groups. Lynx led activity with 5 victims, demonstrating broader targeting in Professional Services and Government sectors. Sinobi focused on Healthcare and Manufacturing, predominantly in the United States. Notable targeting includes Pernec corporation bhd (Malaysia) by WALocker, a telecommunications entity, and Universiti sains islam malaysia (Malaysia) by Qilin, an educational institution, underscoring persistent threats to critical services and public sector organizations.

Victim Distribution

By Country

  • United States – 11
  • Malaysia – 2
  • Argentina – 1
  • Australia – 1
  • Brazil – 1

By Industry

  • Healthcare – 4
  • Education – 3
  • Professional Services – 3
  • Transportation & Logistics – 2
  • Agriculture & Food – 1

The United States remains the primary target geography, with 11 reported incidents. Healthcare and Education sectors experienced the highest concentration of attacks, reflecting ongoing vulnerabilities and high-value data within these industries.

Ransomware News

Topline

The threat landscape remains characterized by persistent exploitation of critical vulnerabilities, sophisticated social engineering campaigns, and the continuous evolution of ransomware and APT operations across diverse sectors.

Campaigns & Operations

Multiple campaigns leverage vulnerable services, with threat actors, including the China-nexus APT UAT-9686, exploiting Fortinet, Cisco, SonicWall, and WatchGuard products via critical CVEs such as CVE-2025-20393 and CVE-2025-40602. High-profile incidents include the INC ransomware gang targeting Pierce County Library, LG Energy Solution’s overseas facility experiencing a ransomware incident, and Cl0p continuing an Oracle E-Business Suite zero-day campaign (CVE-2025-61882) impacting entities like The Washington Post and NHS. Further analysis points to Luna Moth, Akira (exploiting SonicWall CVE-2024-40766 and CVE-2024-53704), and Quick Assist/Teams campaigns as dominant vectors for initial compromise. The STRRAT Java-based Remote Access Trojan continues to evolve with ransomware-like capabilities.

Vulnerabilities & TTPs

Exploitation remains broad, encompassing urgent Chrome patches for CVE-2025-14174, Apple zero-days CVE-2025-43529 and CVE-2025-14174 in WebKit, SAP vulnerabilities including CVE-2025-42880 and CVE-2025-55754, and Windows kernel privilege escalation via CVE-2025-62215. Other actively exploited flaws include Cisco Identity Services Engine CVE-2025-20337, Citrix NetScaler CVE-2025-5777, and Fortinet FortiWeb CVE-2025-58034. Attackers consistently utilize living-off-the-land techniques, credential harvesting, cloud-service abuse, and multi-stage infection chains involving WebDAV, DLL side-loading, and BYOVD to evade defenses. Phishing campaigns exploiting CVE-2017-11882 were also noted in industrial automation systems.

Analyst Note

The continued reliance on both known and zero-day vulnerabilities, coupled with sophisticated social engineering and supply-chain compromises, underscores a complex and adaptive threat landscape requiring robust behavioral detection strategies.

Technical Takeaways

  • Diverse Ransomware Landscape: Twelve distinct ransomware groups posted new victims in a 24-hour period, indicating a fragmented but active threat environment.
  • Healthcare and Education Targeting: These sectors continue to be primary targets, accounting for a significant portion of reported victims (7 out of 20).
  • Critical Infrastructure Pressure: Incidents against a telecommunications entity in Malaysia by WALocker and an agriculture firm in Peru by BlackShrantac highlight ongoing targeting of essential services.
  • Exploitation of Network Devices: Numerous vulnerabilities in firewalls, VPN gateways, and enterprise applications (e.g., Fortinet, Cisco, Oracle E-Business Suite) remain actively exploited by various threat actors.
  • Multi-vector Initial Access: Campaigns frequently combine vulnerability exploitation with advanced social engineering, phishing, and compromised external accounts to achieve initial compromise and persistence.

FAQ

No FAQs available for this report. Please check back later.