#NSBCS.082 - Q2 Ransomware Report Teaser

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Ransomware Q2 2025 Report: Insights for Australian Organisations

The NSB Cyber Intelligence Centre’s (NSB CIC) Ransomware Q2 2025 Report offers an in-depth, data-driven analysis of cyber threats impacting Australian organisations from April to June 2025. Drawing on open and closed-source intelligence, our upcoming report unravels the shifting tactics of ransomware groups, providing clear, actionable insights. By dissecting key incidents and emerging trends across global and regional landscapes, it equips Australian businesses and organisations with the strategic knowledge to strengthen their cybersecurity defences. Whether protecting critical infrastructure, sensitive data, or operational continuity, this report will be a helpful resource for staying ahead of sophisticated cyber threats.

What’s Inside

  • A Shifting Threat Landscape: Ransomware activity evolved in Q2 2025, with notable disruptions to major players like RansomHub reshaping the global scene. Australia, New Zealand, and Fiji faced persistent targeting, particularly in professional services, manufacturing, and healthcare sectors.

  • RansomHub’s Unravelling: A dominant force in early 2025, RansomHub stumbled in April after internal chaos and a public spat with DragonForce. With its operations in disarray, questions loom over its future.

  • Old Dog, Same Tricks: Groups like Qilin and Akira kept the pressure on, exploiting weak systems and third-party vulnerabilities. From global giants like Hitachi Vantara to local firms like McDowall Affleck and Kempe Engineering in Australia’s manufacturing sector saw impact.

Report Highlights

  • Deep Analysis: Explores RansomHub’s rise and fall, alongside the adaptability of groups like Qilin and Akira.

  • Australian Perspective: Features case studies on local healthcare and manufacturing breaches.

  • Trend Tracking: Examines targeting patterns to inform strategic planning.

Why It Matters

As ransomware groups continue to develop their tactics and increasingly target critical sectors, Australian organisations face mounting risks that threaten operational stability, financial security, and reputational integrity. The evolving nature of these attacks - exploiting legacy systems, third-party weaknesses, and supply chain vulnerabilities, requires proactive and informed cybersecurity measures. By understanding the latest adversary strategies and regional vulnerabilities, businesses can prioritise robust defences, enhance incident response frameworks, and build resilience against disruptions, taking #NoStepsBackward.

Q2 2025 Report is due for release week commencing 14th July 2025. Contact NSB CIC via our Contact Page to learn more.

What we read this week

  • Shellter Elite Loader Leaked, Abused in Infostealer Campaigns - Threat actors have been observed abusing Shellter Elite v11.0—an AV/EDR evasion tool designed for red teams—after a customer leaked the software. Elastic Security Labs linked the misuse to the delivery of infostealers including Rhadamanthys, Lumma, and Arechclient2, spread via phishing emails and YouTube comments since at least April 2025. Shellter confirmed the breach, attributing it to a recently licensed client. In response, version 11.1 has been released to trusted customers only. The vendor criticised Elastic for failing to report the issue earlier, stating this is the first misuse incident since its strict licensing model began in 2023.

  • SafePay Suspected in Ingram Micro Ransomware Outage - Ingram Micro has confirmed a ransomware attack that caused widespread service disruptions over the June long weekend. The incident, identified on Thursday, left global customers unable to place orders. Ingram took affected systems offline and engaged cyber experts to investigate, also notifying law enforcement and filing with the SEC. A ransom note reportedly links the incident to SafePay, one of the most active ransomware group in May 2025, though no data has yet appeared on its leak site. Customers fear potential downstream risk, prompting some MSPs to revoke privileged access to prevent possible lateral movement. Restoration efforts remain ongoing.

  • Hunters International Shuts Down, Offers Free Decryptors - Ransomware group Hunters International has announced its closure and is providing free decryptors to all victims. The gang, which emerged in 2023 as a rebrand of the defunct Hive ransomware group, had targeted over 300 organisations using Hive-derived tools and later deployed SharpRhino malware to establish remote access. Security researchers had previously linked the group's operations to wider disruptions in the ransomware ecosystem, including law enforcement crackdowns. Hunters International’s exit aligns with an earlier plan to transition into "World Leaks," a data extortion operation that avoids encryption. World Leaks has already listed 20 victims.

  • Manufacturing Security: Default Passwords Remain a Critical Risk - Default passwords continue to pose a serious threat to manufacturing and critical infrastructure. In one recent case, Iranian hackers breached a US water facility using the default password “1111.” CISA has since urged manufacturers to eliminate default credentials entirely. Default passwords are frequently exploited for botnet recruitment, ransomware deployment, and supply chain intrusions. In a real case, the Mirai botnet used just 61 known combinations to hijack over 600,000 IoT devices. Manufacturers should adopt secure-by-design measures, including unique credentials and secure onboarding, while IT teams must enforce strict password policies and perform regular audits to minimise exposure.

  • BERT Ransomware Expands Globally Across Windows and Linux Targets - BERT (also known as Water Pombero) is a newly emerged ransomware group targeting organisations across Asia, Europe, and the US, particularly in healthcare, technology, and events. Active since April 2025, BERT uses PowerShell-based loaders (start.ps1) to disable defences and deploy ransomware payloads. Its Linux variant supports 50-thread encryption and forcibly shuts down ESXi virtual machines. Files are appended with .encrypted_by_bert, and ransom notes are dropped system-wide. Hosting infrastructure linked to Russia suggests potential Eastern European ties. The group’s evolving techniques mirror older REvil and Babuk code, underscoring rising threats from adaptable, cross-platform ransomware operations.

Shane Bell
Next

#NSBCS.081 - Is Your IT Provider Really Protecting Your Business? A Cybersecurity Reality Check