#NSBCS.097 - Q3 Ransomware Report Teaser
Source: NSB Cyber
Q3 Ransomware Report Teaser
The NSB Cyber Intelligence Centre (CIC)’s Q3 2025 Ransomware Report is a comprehensive, data-driven analysis of ransomware activities and trends, designed to provide Australian and global organisations with a clear understanding of the evolving cyber threat landscape. Produced by the NSB CIC, a specialised team focused on cyber threat intelligence, the report brings together information from diverse sources to deliver actionable insights. It integrates open-source intelligence, such as publicly reported breaches, threat actor communications, and industry publications, with closed-source intelligence, including proprietary data from darkweb monitoring, incident response engagements, and confidential industry collaborations.
Globally, Q3 ransomware incidents fell to 1,405, down from 2,132 in Q1 2025 and 1,437 in Q2 2024—a 2.2% drop from Q2—pointing to a levelling off due to law enforcement pressure and infighting among threat groups. In Oceania, 19 attacks were confirmed across Australia, New Zealand, and Fiji, a 47.22% decrease from Q2, with Financial Services, including cases like Magellan Financial Group, hit hardest. Qilin led globally with 16.21% of attacks (227 victims), followed by Akira at 9.14% (128 incidents), both targeting weak third-party systems, outdated infrastructure, and insecure remote access. Manufacturing saw 225 global incidents, Healthcare rose 15%, and Technology climbed 23.8%. Major breaches, such as Metricon Homes losing 128GB of data and Loyola College exposing 600GB, show a shift to data-theft-focused extortion. Groups like ScatteredLapsus$ShinyHunters are honing in on cloud systems and supply chains.
For a detailed breakdown of these trends and practical steps to strengthen your defences, check the full NSB CIC Q3 2025 Ransomware Report here.
What we read this week
Chinese Hackers Breach F5 Cybersecurity Firm in Year-Long Intrusion - Sources have attributed a prolonged digital intrusion into U.S.-based cybersecurity provider F5 to Chinese state-sponsored actors, with the breach lasting over a year and potentially compromising networks that rely on its products. According to Reuters, the hackers gained access starting in mid-2024, exfiltrating data and using F5's BIG-IP devices as entry points to target government and corporate systems. The intrusion mirrors the 2020 SolarWinds attack in scope, prompting widespread scans for compromise indicators like unusual outbound traffic or anomalous API calls. F5 has notified affected customers and enhanced its logging capabilities, but experts warn that the full impact may take months to assess. Organisations using F5 appliances are advised to apply the latest patches, enable multi-factor authentication, and conduct thorough network audits to detect persistence mechanisms.
Microsoft Report Reveals Extortion and Ransomware Behind Over Half of Cyberattacks - Microsoft's sixth annual Digital Defense Report, covering July 2024 to June 2025, discloses that more than 50% of cyberattacks with identifiable motives were driven by extortion or ransomware demands. The analysis highlights a 32% surge in identity-based attacks, with 97% involving password guessing, and notes heavy targeting of critical sectors like healthcare and government due to their sensitive data and limited budgets. Legacy security tools are deemed inadequate against AI-enhanced threats, urging a shift to AI-driven defenses and cross-sector collaboration. Key recommendations include prioritising passwordless authentication, regular vulnerability assessments, and investing in threat intelligence sharing to build operational resilience.
CISA Adds Oracle EBS Vulnerability to Known Exploited List Amid Active Exploitation - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-61884, a critical flaw in Oracle's E-Business Suite (EBS), to its Known Exploited Vulnerabilities catalog due to confirmed in-the-wild exploitation. SecurityWeek reports that the vulnerability enables unauthenticated remote code execution, allowing attackers to deploy web shells and gain full system control, with impacts seen in educational and administrative environments like Harvard University. Federal agencies face a deadline to patch or discontinue use by November 2025. Oracle has released fixes, and affected organisations should isolate EBS instances, monitor for unauthorised uploads, and implement least-privilege access to prevent lateral movement.
Malicious NPM Package Targets Ethereum Wallets with Data Exfiltration - Security firm Socket has uncovered a malicious npm package named "Netherеum.All," uploaded on October 16, 2025, designed to steal cryptocurrency wallet credentials from Ethereum users. As detailed by The Hacker News, the package decodes a command-and-control server to exfiltrate mnemonic phrases, private keys, and keystore data, affecting developers integrating it into blockchain applications. Disguised as a legitimate Nethereum library variant, it has garnered downloads before detection. The incident underscores risks in open-source supply chains, with recommendations for developers to verify package authenticity via npm audit tools, use dependency scanners, and adopt code signing to mitigate similar threats.
Defcon 2025 Highlights AI-Driven Attacks and Phishing Training Gaps - The 2025 Defcon hacker convention, recapped in a Peterson Technology Partners roundup, showcased demonstrations of AI-powered phishing campaigns and revealed that traditional training fails to curb 70% of simulated attacks due to user fatigue. Key sessions exposed evolving malware trends, including ransomware variants exploiting cloud misconfigurations, and a U.S. court system breach via unpatched endpoints. Attendees emphasised proactive measures like behavioural analytics and gamified awareness programs. Companies are encouraged to integrate AI for real-time threat simulation, conduct red-team exercises, and update incident response plans to address these gaps exposed at the event.
Referenceshttps://www.reuters.com/sustainability/boards-policy-regulation/cyber-defenders-sound-alarm-f5-hack-exposes-broad-risks-2025-10-20/https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/https://cyberpress.org/cisa-alerts-oracle-ebs-ssrf-flaw/https://thehackernews.com/2025/10/fake-nethereum-nuget-package-used.htmlhttps://www.ptechpartners.com/2025/10/21/cybersecurity-news-roundup-august-mid-october-2025/