As cybercriminals intensify their exploitation of security vulnerabilities, ransomware gangs have increasingly targeted unpatched servers to infiltrate critical infrastructure networks across multiple industries.
Attackers have particularly exploited unpatched remote access tools, particularly SimpleHelp, to gain unauthorized entry into organizational networks, facilitating subsequent deployment of ransomware payloads across compromised systems.
Ransomware attackers are increasingly exploiting unpatched remote access software like SimpleHelp to infiltrate networks and deploy malicious payloads.
Trend Micro reports that the Fog ransomware gang has claimed 100 victims via data leaks as of April 2025, whereas major groups including Akira, MORPHEUS, and Gd Lockersec continue exploiting vulnerabilities in popular server software.
These unpatched server exploitations allow lateral movement throughout networks, permitting attackers to penetrate broader segments of critical infrastructure and maximize their operational impact.
Manufacturing, finance, and IT sectors represent primary targets for these coordinated attacks because of widespread deployment of remote access solutions and perceived cybersecurity vulnerabilities. The retail sector has faced particularly severe targeting, with DragonForce successfully compromising major brands including Harrods, Co-Op UK, and Christian Dior in coordinated attacks.
Manufacturing remains the most heavily targeted sector in early 2025, with attackers tailoring their approaches to exploit sector-specific operational dependencies and interconnected network architectures.
Recent statistics demonstrate the escalating scope of ransomware operations, with January 2025 recording 510 victims globally and a record-breaking 92 ransomware attacks disclosed during the month, representing a 21% increase over the previous year. The most active threat actor during this period was RansomHub, which led multiple high-profile campaigns against various organizational targets.
Ransomware incidents now account for approximately 20% of all cyber breaches, with the United States remaining the most targeted region globally.
The financial and operational consequences of these attacks continue expanding as ransomware gangs claim theft of massive data volumes, with one group alleging acquisition of 150 GB and more than 400,000 files in a single incident.
Stolen credentials used alongside unpatched vulnerabilities compound breach impacts, as attackers frequently provide sample files to prove unauthorized access and intensify pressure on victim organizations.
New ransomware groups such as MORPHEUS and Gd Lockersec have emerged, increasing overall threat complexity through refined lateral movement and privilege escalation tactics.
Although RansomHub and Cl0p groups experienced operational declines, Akira, Lynx, and Incransom demonstrated significant activity spikes, utilizing Python-based malware deployments and VMware ESXi exploitation to challenge detection and prevention efforts across targeted industries.
