Quarterly Threat Landscape Briefing — Sample

Ransomware Landscape

The ransomware ecosystem underwent significant structural change during Q4 2025. The consolidation trend that began in mid-2025 accelerated sharply, with the three dominant RaaS operations — tracked by OmegaBlack as PHANTOM SPIDER, OBSIDIAN WOLF, and CRIMSON BEAR — now collectively responsible for 67% of all confirmed ransomware incidents. This represents a dramatic concentration from 45% in Q3 and reflects a maturing criminal marketplace where scale, reliability, and operational security are displacing the fragmented operator model that characterized earlier periods.

PHANTOM SPIDER emerged as the most prolific operator during Q4, accounting for 31% of tracked incidents. Their updated encryptor deployed in October demonstrated significantly improved speed and evasion capabilities, completing full-disk encryption on average 40% faster than the previous version while evading seven of ten leading EDR platforms in controlled testing. The group also introduced a new affiliate program with tiered revenue sharing that attracted operators from at least two defunct RaaS programs.

OBSIDIAN WOLF differentiated through vertical specialization, focusing almost exclusively on healthcare and financial services targets where regulatory pressure amplifies the impact of data exfiltration threats. Their Q4 campaigns demonstrated detailed knowledge of sector-specific compliance requirements, with ransom notes explicitly referencing HIPAA, PCI DSS, and SEC reporting obligations. Average ransom demands from OBSIDIAN WOLF exceeded $4.2 million, the highest of any tracked group.

CRIMSON BEAR maintained steady operations focused on manufacturing and logistics organizations, exploiting the operational technology dependencies that make extended downtime particularly costly for these sectors. Their attack chains consistently leveraged initial access through compromised VPN appliances, followed by lateral movement using living-off-the-land techniques that minimized detection opportunities. The group's average time from initial access to encryption deployment was 3.8 days, down from 6.2 days in Q3.

The operational implications for defenders are significant. With fewer, more capable operators controlling the majority of ransomware activity, the quality of tooling and tradecraft is improving rapidly. Organizations should expect faster encryption, more effective evasion, and more aggressive extortion tactics. The consolidation also means that threat intelligence on these three groups has outsized defensive value — understanding their TTPs provides coverage for the majority of the ransomware threat landscape.

Dark Web Intelligence

The dark web marketplace landscape continued to evolve during Q4 2025, with credential pricing dynamics, forum migration patterns, and emerging communication channels all producing actionable intelligence for defenders. OmegaBlack analysts tracked activity across 47 active marketplaces, 312 Telegram channels, and 89 specialized forums throughout the quarter.

The most significant development was the sustained decline in credential pricing. The average per-record price for corporate credentials fell 40% during Q4, driven primarily by oversupply from three major breaches affecting healthcare organizations and two affecting financial services firms. Corporate VPN credentials averaged $14.50 per record, down from $24 in Q3. This price compression has meaningful security implications: lower access costs reduce the economic barrier for less-sophisticated threat actors, effectively expanding the pool of adversaries capable of targeting any given organization.

Two major marketplace takedowns by international law enforcement in November temporarily disrupted trading activity, but the ecosystem demonstrated its characteristic resilience. Within 72 hours, the majority of displaced vendors had established presence on alternative platforms, and trading volumes recovered to 85% of pre-takedown levels within two weeks. The speed of recovery underscores the futility of purely disruptive approaches to dark web threat mitigation — organizations must assume that stolen credentials will find buyers regardless of enforcement actions.

Forum migration patterns revealed a continued shift toward encrypted messaging platforms, particularly Telegram and its emerging alternatives. An estimated 35% of initial access broker negotiations now occur on Telegram rather than traditional dark web forums, complicating monitoring efforts for organizations that focus exclusively on Tor-based marketplaces. OmegaBlack expanded its Telegram monitoring coverage by 60% during Q4 to address this shift.

Emerging trends in the dark web economy include the growth of "access-as-a-service" subscription models, where initial access brokers offer ongoing access maintenance rather than one-time sales. These arrangements guarantee buyers persistent access for a monthly fee, with the broker responsible for maintaining backdoors and re-establishing access if discovered. This business model shift makes traditional incident response more difficult, as remediation may be followed by rapid re-compromise through separately maintained access channels.

Emerging Attack Vectors

Three emerging attack vectors demanded particular attention during Q4 2025: AI-augmented social engineering, software supply chain poisoning, and cloud-native exploitation techniques. Each represents a fundamental challenge to existing defensive models and requires proactive adaptation rather than reactive response.

AI-augmented social engineering crossed the threshold from theoretical concern to operational reality during Q4. OmegaBlack documented confirmed use of deepfake voice technology in 47 business email compromise incidents during the quarter, representing 12% of all tracked BEC attacks. In the most sophisticated cases, threat actors used voice cloning trained on publicly available audio — earnings calls, conference presentations, podcast appearances — to impersonate C-suite executives in phone calls to finance teams requesting urgent wire transfers. Three confirmed incidents involved real-time video deepfakes used during Zoom or Teams calls to authenticate fraudulent instructions.

The effectiveness of AI-generated phishing content increased dramatically. Traditional indicators of phishing — grammatical errors, awkward phrasing, formatting inconsistencies — are absent from AI-generated messages. Our analysis showed that AI-generated phishing emails achieved click-through rates 3.2 times higher than traditionally crafted campaigns. Multilingual campaigns expanded significantly, with threat actors using AI translation to target non-English-speaking employees who were previously insulated by language barriers.

Software supply chain attacks increased 78% from Q3. The attack surface in open-source package ecosystems remains vast and inadequately defended. OmegaBlack identified 23 confirmed malicious packages across npm, PyPI, and RubyGems during Q4, using techniques including dependency confusion, typosquatting, and maintainer account compromise. The average time from package publication to discovery was 18 days, providing ample opportunity for downstream compromise.

Cloud-native exploitation evolved substantially during Q4, with attackers demonstrating sophisticated understanding of cloud platform internals. Exploitation of default IAM policies and overprivileged service accounts accounted for 62% of cloud intrusions tracked during the quarter. Serverless function abuse emerged as a novel persistence mechanism, with threat actors deploying malicious Lambda functions and Azure Functions that execute on triggers designed to survive standard remediation procedures. Container escape techniques also advanced, with two new exploits demonstrated against default Kubernetes configurations.

Sector-Specific Threats

Threat activity during Q4 2025 varied significantly by sector, with healthcare, manufacturing, financial services, and technology organizations experiencing distinct threat profiles that reflect the specific assets, regulatory environments, and operational dependencies that make each sector attractive to different adversary types.

Healthcare remained the most heavily targeted sector for the fourth consecutive quarter, driven by the combination of sensitive data, regulatory pressure, and operational criticality that makes healthcare organizations particularly susceptible to extortion. Ransomware incidents affecting healthcare organizations increased 34% from Q3, with OBSIDIAN WOLF responsible for 41% of tracked cases. The sector's rapid adoption of connected medical devices and telehealth platforms expanded the attack surface faster than security controls adapted, creating exploitation opportunities in IoT medical devices and poorly segmented clinical networks.

Manufacturing and industrial organizations experienced a 52% increase in targeted attacks during Q4, with threat actors increasingly focusing on operational technology environments where disruption creates immediate financial pressure. CRIMSON BEAR dominated manufacturing targeting, exploiting the convergence of IT and OT networks that accelerated during post-pandemic modernization initiatives. Attacks against manufacturing organizations demonstrated longer reconnaissance phases, with threat actors mapping OT dependencies to maximize disruption and extortion leverage.

Financial services faced sustained pressure from both criminal and nation-state actors. Credential theft targeting banking employees increased 67%, while API exploitation against fintech platforms emerged as a significant vector. The sector's mature security posture relative to other industries drove attackers toward social engineering and supply chain vectors rather than direct technical exploitation. Business email compromise targeting financial services firms increased 43%, with AI-generated content making these campaigns significantly more difficult to detect.

Technology companies, particularly SaaS providers and managed service providers, were increasingly targeted as pivot points for supply chain attacks. Four confirmed incidents during Q4 involved MSP compromises used to access downstream client environments. The concentration of access and data within technology platforms makes these organizations high-value targets whose compromise can cascade across hundreds or thousands of customer organizations. Threat actors demonstrated patience in these campaigns, maintaining persistent access for weeks before leveraging it for downstream operations.

Geopolitical Threat Context

The geopolitical environment during Q4 2025 continued to shape cyber threat activity in predictable but significant ways. Ongoing conflicts, economic competition, and strategic rivalry between major powers sustained elevated levels of nation-state cyber operations while creating permissive environments for criminal groups operating from jurisdictions with limited enforcement cooperation.

Chinese-attributed cyber operations maintained their strategic focus on intellectual property theft and economic espionage during Q4. The semiconductor, advanced manufacturing, and pharmaceutical sectors experienced sustained targeting from groups assessed to operate under the direction or tolerance of Chinese intelligence services. Notably, Q4 saw increased targeting of European semiconductor equipment manufacturers, suggesting an expansion of collection priorities as China seeks to develop indigenous chip fabrication capabilities. The operational tradecraft of these groups continued to improve, with increased use of zero-day exploits and living-off-the-land techniques that complicate attribution and detection.

Russian-attributed operations operated on two distinct tracks during Q4. Intelligence collection operations against NATO-allied government and military networks continued at sustained levels consistent with prior quarters, with particular focus on defense planning, sanctions enforcement, and energy policy. Concurrently, criminal ransomware operations continued to operate with apparent impunity from Russian territory. The relationship between Russian intelligence services and criminal groups remained opaque but functionally permissive — ransomware operators targeting Western organizations face no meaningful domestic legal risk provided they avoid targeting Russian and CIS entities.

Iranian cyber operations expanded during Q4, with increased activity targeting Gulf state critical infrastructure, maritime shipping logistics, and regional rival defense networks. The targeting of maritime shipping reflected escalating tensions in the Red Sea and Persian Gulf, with cyber operations complementing physical disruption campaigns. Iranian-attributed groups also increased destructive attack capabilities, with wiper malware deployments targeting organizations associated with perceived adversaries.

North Korean operations remained focused on cryptocurrency theft and financial crime to generate revenue for the regime. DPRK-attributed groups stole an estimated $430 million in cryptocurrency during Q4 through a combination of exchange compromises, DeFi protocol exploits, and social engineering campaigns targeting cryptocurrency developers. These operations fund weapons programs and regime operations, making them a persistent and highly motivated threat to the cryptocurrency ecosystem.

Recommendations

Related Services