Hi r/netsec community,

Q4 2025 data, monitoring dark web leak sites and criminal forums
throughout October–December 2025.

Numbers:
- 2,373 confirmed victims
- 125 active ransomware groups
- 134 countries, 27 industries

Group highlights:
- Qilin peaked at 481 attacks in Q4, up from 113 in Q1
- Cl0p skipped encryption entirely in most campaigns — pure data theft + extortion via Oracle EBS and Cleo zero-days
- 46.3% of activity attributed to smaller/unnamed groups — RaaS commoditization is real

CVEs exploited this quarter (with group attribution):

RCE:
- CVE-2025-10035 (Fortra GoAnywhere MFT) — Medusa
- CVE-2025-55182 (React Server Components) — Weaxor
- CVE-2025-61882 (Oracle E-Business Suite) — Cl0p
- CVE-2024-21762 (Fortinet FortiOS SSL VPN) — Qilin

Privilege Escalation:
- CVE-2025-29824 (Windows CLFS driver → SYSTEM) — Play

Auth Bypass:
- CVE-2025-61884 (Oracle E-Business Suite) — Cl0p
- CVE-2025-31324 (SAP NetWeaver, CVSS 10.0) — BianLian, RansomExx

Notable: DragonForce announced a white-label "cartel" model through underground forums. Operations linked to Scattered Spider suggest staged attack chains — initial access and ransomware deployment split between separate actors.

Full report
brandefense.io/reports/ransomware-trends-report-q4-2025/