Ransomware surged in Q3 2025, with just three groups accounting for the majority of cases (65%), and initial access most commonly achieved via compromised VPN credentials, according to Beazley Security.
The Beazley Insurance subsidiary said Akira, Qilin and INC Ransomware were the most prolific groups in the third quarter, which saw 11% more leak posts than the previous three months.
As per Q2, the use of valid credentials to access VPNs was the most common method of initial access, accounting for half (48%) of breaches – up from 38% the prior quarter. External service exploits was the second most popular technique, comprising 23% of cases.
Credentials were also targeted in a prolonged campaign by the Akira group against SonicWall security appliances.
“In cases where attribution was established, the group consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report noted.
Read more on VPN attacks: SonicWall SSL VPN Attacks Escalate, Bypassing MFA
The commoditization of stolen credentials demands organizations embrace comprehensive multi-factor authentication (MFA) and conditional access policies, Beazley said.
Infostealers are helping to fuel the supply of such credentials on the cybercrime underground. Even as Operation Endgame disrupted the Lumma Stealer ecosystem, the Rhadamanthys variant appeared to take over, the report claimed.
Zero-Day Exploits Surge
The threat to corporate systems comes not just from credential abuse. In Q3, Beazley tracked 11,775 new CVEs published by NIST. Although that figure was barely changed from the previous quarter, Beazley Security Labs issued 38% more advisories to customers regarding zero-day vulnerabilities in Q3.
These included:
“The trend stresses the need for vulnerability management to be practiced as a continuous discipline, with organizations understanding and addressing severe vulnerabilities as quickly as possible,” said Beazley.
“In some situations, that may mean implementing temporary mitigations or locking down network access until critical patches can be provided. Additionally, organizations should assume that critically vulnerable devices that are exposed to the internet may have already been compromised, and to investigate appropriately.”