We would like to thank Bitdefenders Stefan Hanu, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Nikki Salas for their help with putting this report together.  
Read More
https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-march-2026 

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on X. You can find all previous debriefs here. 

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed Bitdefender technology and added it to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape. 

 Top 10 Most Attacked Countries 

The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on X.. You can find all previous debriefs here. 

Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed Bitdefender technology and added it to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validate 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape. 

As ransomware continues to evolve, our goal with the monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all of these claims but are confident in the trends we see over time. 

From October through December, several ransomware groups announced new alliances. One of those alleged alliances emerged between Stormous, Devman, Coinbase Cartel, Nova, Radar, Desolator and Kryptos. In October Stormous posted about version 5 of their RaaS and a strategic partnership with the six groups. However, many in the research community questioned the validity of this alliance due to the number of groups involved, clashes in operational models, and the lack of communication that followed the announcement. There was no confirmation of mutual involvement or agreement between these groups. 

Another recent ransomware ecosystem development involves Nova, a group that launched their own RaaS, and sought out affiliate recruits this past summer. Another group exposed Nova’s inner workings in early December. A group named CBSecurity leaked the names and roles associated with Nova staff and multiple IP addresses tied to their infrastructure. 

There’s a high likelihood that this exposure was orchestrated by an angry Nova affiliate or a competitor. According to one source, some with ties to Nova’s may have been upset that the group targeted victims in education along with non-profits. This is a possible variable used to justify exposing the group. Our threat researchers are monitoring the situation to see if additional leaks occur in the days ahead. 

An additional development that shows a change in how ransomware groups are operating is the gradual shift in the types of ranks that are incorporated into the cybercriminal hierarchy. Ransomware groups are moving beyond a reliance on the ranks of external software developers, penetration testers, and initial access brokers. An increasing number of groups are now developing in-house expertise and creating and managing their own RaaS platforms. 

They’re also expanding recruitment efforts to reach employees at target organizations. This is evident with the group Kryptos, who encouraged corporate insiders to join the Kryptos initiative. Kryptos defined a system and a tiered approach to profit-sharing that insiders can benefit from. This expands beyond the traditional 85-90% profit margin we’ve observed in more typical RaaS models. 

Kryptos’ multi-tiered system for insiders at their target organizations invites IT admins, executive assistants, and third-party vendors to give away access to corporate networks via VPN, MFA, SSH, etc. The payoff for those willing to become an insider threat runs from thousands of dollars all the way up to millions of dollars. Organizations should be aware that ransomware operators are increasingly trying to recruit their employees to increase the odds of a successful attack. This approach removes the need for resources that other groups prioritize, such as EDR and AV killers, along with InfoStealers. 

The ShinySp1d3r RaaS was announced just before the publicized fall of Scattered LAPSUS$ Hunters in August. The RaaS release features information on the Windows encryptor and its capabilities, including the encryptor’s ability to hook EtwEventWrite to offset the writing of data into Windows Event Viewer, its ability to force kill open processes, and also run malware locally via actions such as deployViaSCM and deployViaWMI. ShinyHunters has taken credit for the release of the ShinySp1d3r RaaS; yet, the group stated that the platform will be managed under the brand of their former coalition. Whether this is a PR stunt to garner more recognition for Scattered Spiders and LAPSUS$ after law enforcement’s seizure of BreachForums remains unclear. However, Scattered Spider’s (and by extension ShinyHunters’) creation of their own encryptors and dedicated platform may serve as a model for more groups to follow, helping them to break away from affiliate relationships. 

Now, let’s explore the notable news and findings since the last Threat Debrief release. 

Qilin’s claimed victims decline after Korean Leaks Campaign: Qilin claimed 122 victims in November, which is a stark contrast from the 205 victims reported in the previous month. From August to October, Qilin, assisted by another threat actor (likely Moonstone Sleet), leveraged the compromise of an MSP ecosystem to leak data from more than 30 organizations based in South Korea. While the group has secured the first rank in our Top 10 again, their victims are far lower than anticipated and do not feature organizations from East Asian regions.

Clop Climbs to Second Place: Clop claimed 102 victims, surpassing Akira and reclaiming a position in the Top 10. The majority of Clop’s victims in the past month have been organizations in the manufacturing, technology, and healthcare industries. The group has repeatedly exploited a zero-day vulnerability to compromise numerous systems. Clop’s attacks have also targeted systems impacted by CVE-2025-61882, which leads to the compromise of Oracle Concurrent Processing. Organizations using Oracle E-Business Suite versions 12.2.14 to 12.2.3 are advised to implement the latest patch to mitigate this flaw.

React2Shell Vulnerability is Disclosed: CVE-2025-55182 is a critical flaw affecting React Server Components. The vulnerability allows an attacker to gain initial access and perform remote code execution after sending HTTP requests containing malicious objects to the server. React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 are affected. The flaw also impacts the default configurations across the Next.js framework (15.x, 16.x) and Canary builds (14.x). Organizations using these iterations of React and supported components, are advised to patch them immediately. The React2Shell vulnerability may result in a widespread impact similar to those experienced with the exploitation of the Apache Log4Shell and Log4j flaws in ransomware attacks that hit multiple sectors.

CISA Updates Akira Advisory to Include Targeted Nutanix VMs: Hypervisors such as ESXi and Hyper-V environments have been prevalent targets for many ransomware groups aiming to take down hundreds of machines in seconds, Akira has launched campaigns targeting Nutanix VMs for nearly a year. Unlike with the ESXi systems, Akira’s Linux encryptor used in the Nutanix AHV environment can skip the process of powering off virtual machines and encrypt virtual disks (ending in .qcow2). Organizations are advised to ensure that flaws acting as common entry points for Akira and other ransomware groups such as CVEs impacting VPN and network appliances are identified and remediated. It is also recommended that they implement an effective backup and recovery plan.

Warlock Claims Several More Victims Based in Russia: Warlock claimed 3 victims in November that were based in Russia. This instance of more than one Russian-based organization being claimed in one month, and by the same ransomware group, is an anomalous event. This leads many to question Warlock’s motivations and origins. Notably, threat actors utilize capabilities mirroring that of a state-sponsored group, Storm-2603, which has leveraged Warlock ransomware in campaigns that abused flaws affecting SharePoint ToolShell. Shared TTPs between the two entities supports hypotheses that Warlock is an established, China-based threat in spite of the fact that China tends to support Russian-aligned interests.

Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks. Here’s the Top 10 ransomware groups.

Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. In many cases, this means focusing on developed countries with higher projected growth rates. Threat actors may also execute strategic attacks that unfold during geopolitical conflicts or periods of social unrest. Let’s see the top 10 countries that took the biggest hit from ransomware attacks.

Ransomware gangs may target organizations in critical infrastructure sectors, select other organizations that offer services tailored to consumers, or attack organizations that fall into both categories. Understanding the trends and ramifications associated with specific industries, and how specialized services and clientele are impacted is crucial for assessing risk. Here are the Top 10 industries affected by ransomware attacks.

We would like to thank Bitdefenders Vlad Craciun, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Rares Radu (sorted alphabetically) for their help with putting this report together.
Read More
https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-december-2025

ScatteredSpider is known for clever social engineering tactics, leveraging VPN obfuscation to transfer victim data, and flexing their wealth. In their campaigns from early summer 2025, it was revealed that they executed DragonForce ransomware once initial access to a victim was established. This was one indication of a budding partnership between DragonForce and ScatteredSpider. However, that partnership was short-lived. ScatteredSpider has shifted its focus from targeting high-value retail organizations to targeting other industries, including transportation and aviation. 

ScatteredSpider is likely teaming up with LAPSUS$ and ShinyHunters to cast a far-reaching net, growing their collective influence and appealing to more potential recruits within their demographic of Western males aged 16 to 25. 

While many of the LAPSUS$ members who received media attention from 2022 to 2023 were teens, and some were even convicted in the years that followed, they should not be underestimated due to their age or past decisions. 

LAPSUS$ has conducted high-profile attacks and also leaked data from victim organizations in several industries, including technology and logistics. LAPSUS$ has also evolved to incorporate SIM swapping in their operations. The decision by LAPSUS$ to consider a team-up with ScatteredSpider may have stemmed from shared contacts within a criminal network. LAPSUS$ establishes connections to the Com, a larger criminal syndicate that engages in both extortion and physical crime. 

LAPSUS$ would also greatly benefit from the aid that comes with combining forces, after losing many of its members. Moreover, there is a repeated emphasis on teenagers having a common goal: committing crimes and showing off would reach a similar community found in ScatteredSpider’s group of male youth, located throughout the United Kingdom and parts of the United States. 

ScatteredSpider’s alliance with ShinyHunters may also boost their standing and influence based on ShinyHunters’ former roles in the underground. Security researchers trace ShinyHunters’ operations back to early 2020. The group is known for their role in maintaining the BreachForums platform in 2021 and launching further iterations of BreachForums and participating in activities on RaidForums. 

ShinyHunters’ connection to ScatteredSpider may go back to the spring of 2024. One marker of this collaboration between the two groups is the creation of a Sp1d3rHunters BreachForums account in May 2024. However, the account and others associated with ShinyHunters were compromised. A newer iteration of the BreachForum site was also seized by law enforcement. 

ShinyHunter’s TTPs, including their unique use of data exfiltration via known, legitimate cloud services and credential harvesting techniques, paired with ScatteredSpider's social engineering and authentication-type attacks form a far more formidable threat. The combination of tactics used by the two groups has already been observed in campaigns targeting the Salesforce platform that feature malicious lures (SSO pages) used to harvest credentials. 

Now that ScatteredSpider has shifted gears and formed an alliance with LAPSUS$ and ShinyHunters, the united group faces greater scrutiny from law enforcement agencies and threat intelligence firms seeking insights into their operations. 

The alliance likely wants to be perceived as a highly capable and wealthy threat. Performative acts of showing off, such as posting an image of the red Chevrolet Corvette, appear impressive. However, upon closer examination, it becomes clear that the image is cropped to obscure a wider view. 

The vehicle’s model is six years old with the Stingray Premium 3LT trim. This trim makes the particular Corvette comparable in cost to a 2025 Honda Pilot, which has a price range of $45,000 to $60,000. Nice, yes, but it doesn’t convey the image of a ransomware group bringing in millions of dollars to purchase imported accessories and luxury sports cars. 

And, just like the fleeting nature of the scattered lapsus$ hunters Telegram channel, the promoted collaboration may be a temporary glimpse into a moment that is not followed up with decisive action. 

Whether ScatteredSpider can truly surpass LockBit and rival the ransomware cartel that DragonForce has built remains unknown. No further connections have been drawn between ScatteredSpider and DragonForce. Their partnership, like others, was not sustainable as ScatteredSpider's team up with LAPSUS$ and ShinyHunter's became public. At the time of this post, there is no data leak site that has been linked to the ScatteredSpider-LAPSUS$-ShinyHunters collaboration. No release date for their RaaS has been publicized, and there are no mentions of specific platform features.

Bitdefender has observed a phenomenon year after year: competition in the RaaS space remains fierce and chaotic. The fight against time (until detection), innovation to stand out among competition, and prowess to maneuver away from law enforcement, positions many cybercriminal groups to join other criminal enterprises or fail and cease their operations entirely. Fewer ransomware groups, excluding rebranded entities, are persisting beyond two to three years. 

Ransomware threats, ranging from small and insular extortion groups to large, interconnected networks, continue to pose significant challenges for organizations seeking to protect their assets and reputation. As the threat landscape undergoes frequent changes, understanding the elements that influence ransomware operations, and a successful or unsuccessful compromise, is vital to implement timely and relevant threat-informed countermeasures. 

For a comprehensive analysis of the ransomware playbook, including attack execution paths and defense strategies, please refer to our updated Bitdefender Ransomware Whitepaper.