Blog

Ransomware stayed hot in late January, with Cl0p jumping to the top after its huge Cleo linked victim dump, while Qilin, Akira, Sinobi and The Gentlemen kept pressure on manufacturing and mid market orgs. At the same time, exploitation of vCenter, SmarterMail, Zimbra, Ivanti EPMM and Fortinet gear drove a wave of opportunistic intrusions. Threat actors like Sandworm, Konni and ShinyHunters leaned on phishing, credential theft and stealthy C2, with Sandworm remaining the most worrying due to its destructive track record.

We open the new year with a Microsoft CVE dating back to 2009 finally being added to the CISA known exploited vulnerability catalog on the 7th of January. On the ransomware front, we start the year with Qilin once again taking the top spot. While good backup and DR processes can mitigate the impact of encryption, threat actors have learned that there is little that victims can do once their data is stolen.

As 2025 ended vendor reports slowed down. Even reports of emerging threats slowed down a little. Could the bad guys also be taking a break? The reality seems less comforting as we are still seeing plenty of victims and we are also seeing a significant number of actively exploited vulnerabilities.

LockBit resurfaced and immediately re-entered the top 5, driving renewed ransomware activity. Coinbase Cartel’s victim postings pushed the UAE into the top 5 target regions and elevated construction to the top victim sector.

Qilin leads ransomware activity this period, with CL0P and Akira close behind. Newer and mid-tier groups like Sinobi and DragonForce show rising impact. Victims are primarily small US-based businesses, with manufacturing, technology, retail, and construction most affected.

One of the most concerning developments over this period has been the discovery of zero-click vulnerabilities in Samsung mobile devices, which have already been actively exploited by the Landfall spyware.

The recent theft of source code from F5 has seen over a quarter of a million F5 BIG-IP instances exposed to potential remote attacks via the Internet, and in terms of victim locations, we see a notable change in this period, with Australia joining the top 5.