In this week’s roundup, ransomware activity surged 30% in October as new threat groups reshaped the cyber battlefield, with VanHelsing RaaS expanding its reach across Windows, Linux, BSD, ARM, and ESXi environments and lowering the barrier for entry to sophisticated attacks. Meanwhile, Scattered Spider intensified its focus on financial institutions through advanced social engineering and hypervisor exploitation, a newly discovered authentication coercion flaw exposed how Windows machines can be tricked into revealing credentials to attacker-controlled servers, and a sudden CPU spike led investigators to uncover an active RansomHub ransomware intrusion—a stark reminder of how real-time monitoring and response can stop an attack in progress. Read on!
October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield Ransomware activity surged by roughly 30% in October 2025, reaching a total of 623 reported incidents, according to Cyble’s latest analysis—making it one of the most active months of the year for threat actors. The report attributes this sharp rise to the emergence of new ransomware groups such as Sinobi, Hunters International, and Arcus Media, combined with a resurgence of established syndicates adopting more sophisticated evasion and extortion techniques. Cyble notes that manufacturing, healthcare, and financial services continue to be prime targets, with attackers exploiting unpatched vulnerabilities, exposed RDP endpoints, and supply chain weaknesses.
"Attackers don't always go out of their way to hide ransomware attacks, but when they do detection often happens from indirect metrics such as CPU usage or (heaven forbid) noticing encrypted files in file systems. The fact that attackers do not have to go out of their way to hide in many instances is a testament to the obscurity of the places they are choosing to attack. Hypervisors are one such target, usually unmonitored and unprotected. "
On How a CPU Spike led to Uncovering a RansomHub Ransomware Attack
"The latest report from Cloud Security Alliance highlights how the threat actor Scattered Spider is turning the strengths of the finance sector — fast help-desk response, heavy virtualization, and MFA usage — into entry points for ransomware. Their tactic flows: social engineering → identity hijack → pivot to the hypervisor layer (e.g., VMware ESXi) to encrypt entire estates. The result: banks, fintechs and credit unions face not just IT disruption, but operational, regulatory and reputational crises. Runtime security across all platforms including hypervisors is now non-negotiable."
On Scattered Spider and the Finance Sector: Ransomware Tactics Banks Can’t Afford to Ignore
VanHelsing Ransomware RaaS Expands Reach to Windows, Linux, BSD, ARM and ESXi Environments
VanHelsing, a newly launched ransomware-as-a-service (RaaS) operation debuting in March 2025, has quickly gained attention for offering affiliates a turnkey attack platform with a $5,000 buy-in and an 80% profit share, targeting Windows, Linux, BSD, ARM, and ESXi systems through an intuitive control panel. The group’s model enables even low-skilled actors to execute sophisticated, cross-platform attacks, with reported ransom demands reaching as high as $500,000 per incident.
Scattered Spider and the Finance Sector: Ransomware Tactics Banks Can’t Afford to Ignore
Scattered Spider has intensified its focus on the financial sector, leveraging advanced social engineering against help desks, SIM-swapping, and multi-factor authentication (MFA) fatigue attacks to compromise identities and escalate privileges deep within virtualized infrastructures. The group’s tactics now extend to targeting VMware ESXi hosts and hypervisors, enabling ransomware deployment that disrupts critical banking operations and exposes sensitive data. These evolving techniques underscore a new era of identity-centric and infrastructure-level attacks.
Authentication Coercion Attack Tricks Windows Machines into Revealing Credentials to Attack-controlled Servers
An evolving Windows exploit known as “authentication coercion” enables low-privileged attackers to trick legitimate endpoints and servers into authenticating to malicious systems, exploiting obscure and often unmonitored RPC interfaces to capture NTLM hashes and execute relay attacks. By abusing built-in network authentication mechanisms, this technique effectively bypasses endpoint detection, lateral movement controls, and traditional user-centric defenses, allowing adversaries to escalate privileges.
How a CPU Spike led to Uncovering a RansomHub Ransomware Attack
A sudden and unexplained CPU usage spike on a corporate server prompted a swift internal investigation that exposed an active RansomHub ransomware intrusion, which originated from a deceptive browser update prompt used to deliver a malicious payload. The attackers quickly moved to harvest credentials, escalate privileges to domain admin, and exfiltrate sensitive data, preparing to deploy encryption across the network. Fortunately, rapid detection, forensic analysis, and incident response containment efforts prevented full encryption and data loss.
-Nov-13-2025-02-19-14-8045-PM.png?upscale=true&width=1120&upscale=true&name=Copy%20of%20WTR%20Newsletter%20Email%20Header%20(1)-Nov-13-2025-02-19-14-8045-PM.png)
