25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns

Posted By on Nov 21, 2025

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist