VPN Credentials Fuel 50% of Ransomware Attacks
▼ Summary
– Ransomware attacks increased in Q3 2025, with three groups (Akira, Qilin, and INC Ransomware) responsible for 65% of cases and 11% more leak posts than the previous quarter.
– Compromised VPN credentials were the most common initial access method, accounting for 48% of breaches, up from 38% in the prior quarter.
– Akira group specifically targeted SonicWall security appliances using valid credentials in credential stuffing attacks, exploiting weak access controls like absent MFA.
– The rise in zero-day vulnerabilities led to 38% more advisories from Beazley Security Labs, including critical CVEs affecting Microsoft SharePoint, CrushFTP, Cisco ASA VPN, and Citrix NetScaler.
– Beazley emphasized the need for comprehensive MFA, conditional access policies, and continuous vulnerability management to address threats from stolen credentials and zero-day exploits.
A significant surge in ransomware activity during the third quarter of 2025 has been linked directly to compromised VPN credentials, which served as the entry point for nearly half of all documented breaches. According to a recent security report, just three prominent ransomware groups were responsible for the majority of incidents, highlighting a concentrated threat landscape where stolen access credentials have become a primary tool for cybercriminals.
The groups identified as Akira, Qilin, and INC Ransomware were the most active, contributing to a notable 11% increase in data leak posts compared to the previous quarter. The use of valid credentials to infiltrate VPN systems represented 48% of initial access incidents, a sharp rise from 38% in the prior period. Exploiting vulnerabilities in external services followed as the second most common technique, accounting for 23% of cases.
One extended campaign carried out by the Akira group specifically targeted SonicWall security appliances. The attackers repeatedly gained access by using legitimate credentials in credential stuffing attacks aimed at SonicWall SSLVPN services. Security analysts noted that weak access controls, including the absence of multi-factor authentication and insufficient account lockout policies, made these devices particularly vulnerable.
The widespread availability of stolen credentials on underground markets underscores the critical need for organizations to adopt comprehensive multi-factor authentication and enforce conditional access policies. Information-stealing malware continues to supply a steady stream of usernames and passwords to cybercriminals. Even after law enforcement operations disrupted the Lumma Stealer ecosystem, a replacement known as Rhadamanthys quickly emerged to fill the void.
Beyond credential-based attacks, businesses also faced an escalating number of zero-day vulnerabilities. Security researchers tracked nearly 11,800 new common vulnerabilities and exposures during the quarter, with a 38% increase in advisories issued concerning zero-day threats. Notable vulnerabilities included flaws in Microsoft SharePoint, CrushFTP, Cisco ASA VPN, and Citrix NetScaler systems.
This trend emphasizes that vulnerability management must be treated as an ongoing, continuous discipline, requiring organizations to identify and remediate severe security flaws as rapidly as possible. In certain scenarios, this could involve deploying temporary protective measures or restricting network access until permanent patches become available. Companies are also advised to operate under the assumption that internet-exposed devices with critical vulnerabilities may already be compromised, warranting immediate investigation.
(Source: InfoSecurity Magazine)
