Executive Summary
In 2025, the cyber threat landscape witnessed a significant shift as ransomware groups increasingly favored data theft over traditional encryption methods. This evolution led to a 146% surge in ransomware attempts, with attackers exfiltrating 238 TB of data, marking a 92% increase from the previous year. The United States bore the brunt of these attacks, accounting for 50% of global incidents, with sectors like manufacturing, technology, and healthcare being prime targets. Notably, the oil and gas industry experienced a staggering 900% rise in attacks, underscoring the expanding reach of cybercriminals. (globenewswire.com)
This trend underscores the urgency for organizations to bolster their cybersecurity defenses. The pivot towards data extortion highlights the need for comprehensive security strategies that encompass data protection, rapid vulnerability patching, and robust identity management to mitigate the escalating risks posed by these evolving cyber threats.
Why This Matters Now
The rapid evolution of ransomware tactics towards data extortion necessitates immediate action from organizations to enhance their cybersecurity measures, focusing on data protection and swift vulnerability management to counteract these sophisticated threats.
Attack Path Analysis
The adversary exploited vulnerabilities in VPN and firewall devices to gain initial access, escalated privileges by compromising administrative credentials, moved laterally to access sensitive data, established command and control channels to exfiltrate data, transferred the data to external cloud storage, and impacted the organization by threatening to release the stolen data unless a ransom was paid.
Kill Chain Progression
Initial Compromise
Description
The adversary exploited known vulnerabilities in VPN and firewall devices to gain unauthorized access to the network.
Related CVEs
CVE-2025-49704
CVSS 8.8A critical vulnerability in Microsoft SharePoint allows unauthenticated remote code execution via crafted requests.
Affected Products:
Microsoft SharePoint – 2016, 2019
Exploit Status:
exploited in the wildCVE-2025-10035
CVSS 9.8A deserialization vulnerability in GoAnywhere MFT allows unauthenticated remote code execution via the License Servlet.
Affected Products:
Fortra GoAnywhere MFT – < 7.8.4
Exploit Status:
exploited in the wildCVE-2025-61882
CVSS 9.8A critical vulnerability in Oracle E-Business Suite allows unauthenticated remote code execution via HTTP access.
Affected Products:
Oracle E-Business Suite – 12.2.3 to 12.2.14
Exploit Status:
exploited in the wildCVE-2025-22225
CVSS 8.2An arbitrary write vulnerability in VMware ESXi allows attackers to execute arbitrary code on the host.
Affected Products:
VMware ESXi – 7.0, 8.0
Exploit Status:
exploited in the wildCVE-2025-8088
CVSS 8.8A directory traversal vulnerability in WinRAR allows attackers to place malicious files in sensitive system locations.
Affected Products:
RARLAB WinRAR – < 7.13
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Exploitation of Remote Services
OS Credential Dumping
Data Encrypted for Impact
Financial Theft
Data from Cloud Storage
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
High-value data targets face increased ransomware and data extortion risks, with regulatory compliance vulnerabilities across payment systems and customer financial information.
Health Care / Life Sciences
Critical patient data exposure through VPN vulnerabilities and virtualization attacks threatens HIPAA compliance, with ransomware targeting essential healthcare infrastructure systems.
Information Technology/IT
IT infrastructure providers face direct targeting through exploited VPN, firewall, and virtualization vulnerabilities, enabling widespread downstream client data extortion attacks.
Government Administration
Public sector entities vulnerable to data theft extortion through exploited Fortinet, SonicWall, and Citrix systems, compromising citizen data and critical infrastructure operations.
Sources
- The ransomware economy is shifting toward straight-up data extortionhttps://cyberscoop.com/google-threat-intelligence-group-ransomware-report-2026/Verified
- Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomwarehttps://www.tomshardware.com/tech-industry/cyber-security/microsoft-says-china-based-hackers-exploiting-critical-sharepoint-vulnerabilities-to-deploy-warlock-ransomware-three-china-affiliated-threat-actors-seen-taking-advantageVerified
- Experts warn a maximum severity GoAnywhere MFT flaw is now being exploited as a zero dayhttps://www.techradar.com/pro/security/experts-warn-a-maximum-severity-goanywhere-mft-flaw-is-now-being-exploited-as-a-zero-dayVerified
- Oracle forced to rush out patch for zero-day exploited in attackshttps://www.techradar.com/pro/security/oracle-forced-to-rush-out-patch-for-zero-day-exploited-in-attacksVerified
- CISA confirms exploitation of VMware ESXi flaw by ransomware attackershttps://www.helpnetsecurity.com/2026/02/05/cisa-cve-2025-22225-ransomware-exploitation/Verified
- Russian-Linked Hackers Are Exploiting a WinRAR Flaw - Here's How to Stay Safehttps://www.windowscentral.com/software-apps/new-winrar-zero-day-pc-vulnerability-exploited-by-hackers-what-you-need-to-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the adversary's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and impact the organization by threatening data release.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The adversary's ability to exploit vulnerabilities in VPN and firewall devices would likely be constrained, reducing the likelihood of unauthorized network access.
Control: Zero Trust Segmentation
Mitigation: The adversary's ability to escalate privileges by obtaining administrative credentials would likely be constrained, limiting their access to critical systems.
Control: East-West Traffic Security
Mitigation: The adversary's ability to move laterally within the network would likely be constrained, reducing their access to sensitive data.
Control: Multicloud Visibility & Control
Mitigation: The adversary's ability to establish command and control channels would likely be constrained, reducing the risk of undetected data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: The adversary's ability to exfiltrate data to external cloud storage would likely be constrained, reducing the risk of data loss.
The adversary's ability to leverage exfiltrated data for extortion would likely be constrained, reducing the potential impact on the organization.
Impact at a Glance
Affected Business Functions
- Data Management
- File Transfer Operations
- Enterprise Resource Planning
- Virtualization Infrastructure
Estimated downtime: 14 days
Estimated loss: $5,000,000
Sensitive corporate data, including internal documents, financial records, and customer information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and enforce least privilege access controls.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Apply Inline IPS (Suricata) to identify and block known exploit patterns and malicious payloads.
- • Enforce East-West Traffic Security to monitor and control internal network communications, limiting adversary movement within the network.
