Ransomware Onslaught: Multiple Groups Post Fresh Victims on October 3, 2025

Breached Company

Breached Company

11 min read
Ransomware Onslaught: Multiple Groups Post Fresh Victims on October 3, 2025
Photo by Alex Shute / Unsplash

Executive Summary

October 3, 2025, marked another devastating day in the ongoing ransomware crisis as multiple threat groups simultaneously posted new victims to their dark web leak sites. In a coordinated display of cybercriminal activity, Akira, SpaceBears, RansomHouse, Qilin, and 3AM ransomware groups claimed fresh targets spanning healthcare, manufacturing, construction, legal services, and technology sectors. This wave of disclosures represents a continuation of the ransomware epidemic that has seen attack volumes stabilize at historically elevated levels throughout 2025, with organizations facing increasingly sophisticated and well-resourced adversaries.

The October 3 Victim Wave

Confirmed Victims by Group

Akira Ransomware:

  • Apricorn (data security solutions)
  • Displayit (display technology)
  • Dual Temp (HVAC/refrigeration engineering)

Qilin Ransomware:

  • Mitchell Industries
  • Saginaw Chippewa Indian Tribe (Michigan)
  • Shamir Medical Center (Israel)

SpaceBears:

  • Ausil Systems
  • Gesimde Asociados (Spain)
  • Esnova

RansomHouse:

  • GWP Engineering (Hong Kong/Shenzhen/Singapore)

3AM:

  • HSJ Lawyers LLP (legal services)

This single-day disclosure wave affects organizations across multiple continents, demonstrating the global reach and coordinated nature of modern ransomware-as-a-service (RaaS) operations.

Akira: The Veteran Threat Continues Its Rampage

Profile and Scale

Akira first emerged in March 2023 and has since impacted over 250 organizations, claiming approximately $42 million in ransomware proceeds by early 2024. Statistics show that Akira was the second most active group in the second quarter of 2025 after Qilin, claiming 143 victims during the time period.

The group experienced its highest single-day total in November 2024, posting over 30 new victims within 24 hours. By 2025, Akira has firmly established itself as one of the most persistent and profitable ransomware operations globally.

Recent Activity Patterns

In early October 2025, Akira claimed eleven new victims, almost all US-based companies, with a notable focus on construction and manufacturing sectors. The group's victim profile shows a clear pattern: mid-sized companies in building, construction, and industrial supply chains.

In late July 2025, security researchers observed an increase in Akira ransomware activity targeting SonicWall firewall devices for initial access, with the campaign potentially exploiting CVE-2024-40766.

Attack Methodology

Akira threat actors use a double-extortion model and encrypt systems after exfiltrating data, utilizing a sophisticated hybrid encryption scheme combining ChaCha20 stream cipher with RSA public-key cryptosystem.

The group's efficiency is remarkable: Akira malware can complete lightning-fast data exfiltration from Veeam servers in around 2 hours.

Target Profile

Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem. However, the group remains opportunistic, targeting businesses across all sectors with a emphasis on manufacturing, critical infrastructure, construction, education, retail, and technology.

Unique Characteristics

Akira distinguishes itself through its retro aesthetic, featuring a 1980s-style "green screen" console interface on its Tor-based leak site. The design pays homage to the 1988 anime movie "Akira" and requires victims to interact with the site using text commands.

What makes Akira particularly unsettling is their audacity: In one negotiation, after settling for $200,000 from a $600,000 demand, Akira provided the victim with a security checklist, essentially offering "post-attack advice" on how not to get hacked again.

Qilin: The Rising Dominant Force

Meteoric Rise to Prominence

Qilin has quietly become one of the most active and impactful ransomware operations in the world, amassing over $50 million in ransom payments in 2024 alone and ranking as the most prevalent ransomware in public threat intelligence reports by 2025.

Current Dominance

Qilin was the top ransomware group in both June and July 2025, with 86 victims in June and 73 victims in July, accounting for 17% of July's total 423 ransomware victims.

The group's dominance coincided with the disruption of RansomHub in April 2025, when rival DragonForce claimed to be taking over RansomHub's infrastructure. Qilin activity surged when RansomHub was allegedly taken over, as affiliates migrated to Qilin, making it the most active ransomware threat in June 2025.

Operational Sophistication

Qilin operates as an affiliate program for Ransomware-as-a-Service, employing Rust-based ransomware to target victims, offering various encryption modes controlled by the operator.

Throughout 2025, Qilin has added spam campaigns, DDoS attack capabilities, automated network propagation, automated ransom negotiation from within the affiliate panel, data storage services, and "in-house journalists" to assist affiliates with blog posts and pressure during negotiations.

Victim Impact

The U.S. Department of Health and Human Services reported Qilin-related losses across multiple victims ranging from $6 million to $40 million, primarily affecting healthcare and government agencies across the Americas.

Encryption Technology

Qilin employs sophisticated encryption integrating both symmetric and asymmetric methods, using symmetric encryption with a randomly generated key, then encrypting that key with a public RSA key, ensuring only attackers holding the private RSA key can decrypt files.

Strategic Targeting

Unlike other ransomware groups that overwhelmingly target construction, professional services, healthcare, and manufacturing sectors, Qilin's claimed victims are more balanced across sectors, including a higher percentage of financial targets than rivals.

SpaceBears: The Corporate-Styled Newcomer

Emergence and Unique Approach

SpaceBears is a new participant in the Data Broker trend, which has gained momentum particularly due to major crackdowns on ransomware groups by security forces.

Distinctive Characteristics

SpaceBears websites give off a more 'corporate' appearance rather than the typical ransomware blogs, and the group also has a clearnet website hosted in Moscow, Russia, suggesting it may be a Russian-based ransomware group.

SpaceBears currently has organizations listed in its data leak site, most of which are medium/small sized organizations, including victims from the US, Portugal, Canada, Germany, Norway, Morocco and Singapore.

Operational Methods

SpaceBears does not host allegedly leaked data on their own servers, but shares it through file sharing services accessible on the clear web, though this often results in files being deleted in a short time.

This approach suggests either technical limitations or a deliberate strategy to avoid infrastructure costs while maintaining operational security. The group's methods and infrastructure suggest a reliance on basic extortion strategies rather than sophisticated malware tactics.

Victim Profile

When examined by sector, SpaceBears targets primarily include manufacturing, small technology solutions organizations, and healthcare-related companies. The group appears to focus on organizations that may lack robust cybersecurity defenses while still possessing valuable data.

RansomHouse: The Data Theft Specialists

Unique Operational Model

RansomHouse follows a Ransomware-as-a-Service business model where affiliates use the ransomware operator's infrastructure to extort money from victims, but the group often skips the step of encrypting victims' data entirely, preferring to just steal the data instead and making threats to release it if a cryptocurrency ransom is not paid.

This approach minimizes the immediate operational disruption for victims but maintains the extortion pressure through data exposure threats.

Historical Context

RansomHouse has been operating since late 2021 and has been linked to, or reused tools connected with, gangs like White Rabbit and Mario ESXi.

High-Profile Attacks

RansomHouse has made a name for itself by attacking organisations in education, government, manufacturing, and healthcare, including the likes of AMD, the University of Paris-Saclay, Bulgaria's Supreme Administrative Court, and South African telecoms operator Cell C.

2025 Activity

In February 2025, RansomHouse launched a cyberattack on National Technology Co., Ltd., a leading Chinese semiconductor firm, resulting in the theft of 3 TB of sensitive data including proprietary R&D blueprints, customer financial records, and industrial IoT firmware.

RansomHouse was behind a cyberattack on Cell C that compromised the data of some of its clients, with the group claiming to have stolen 2TB of data belonging to the company.

Technical Capabilities

RansomHouse leverages third-party tools like Vatet Loader and Cobalt Strike to infiltrate networks via phishing campaigns or unpatched vulnerabilities, conducts lateral movement using Remote Desktop Protocol (RDP), and deploys custom malware such as Mario ESXi for Linux systems and MrAgent for Windows environments.

The group exploits vulnerabilities such as CVE-2023-4863, CVE-2023-41064, CVE-2023-41061, CVE-2023-20867, and CVE-2023-3519 to gain access to systems.

3AM: The Emerging Threat

Limited Public Information

3AM represents one of the newer additions to the ransomware ecosystem, with limited public information available about its operations, origins, or specific tactics. The group's October 3 victim posting targeting HSJ Lawyers LLP demonstrates their willingness to attack legal services firms, which often possess highly sensitive client data.

Attacks on law firms are particularly concerning due to the privileged attorney-client communications and sensitive case materials these organizations hold. Such breaches can compromise ongoing litigation, expose confidential business transactions, and violate legal professional privilege protections.

The Broader 2025 Ransomware Landscape

July 2025 saw 423 ransomware victims, marking the third consecutive monthly increase following a three-month downtrend that began after February saw a record 854 attacks.

2025's lowest point of 402 attacks in May remains well above the low points of 2023 (161 in January 2023) and 2024 (243 in January 2024), suggesting that the long-term uptrend remains intact.

RansomHub's Fall and Affiliate Migration

The ransomware landscape experienced significant disruption in early 2025 when RansomHub, the dominant group for over a year, went offline in late March/early April. RansomHub was the top ransomware group for more than a year until rival DragonForce claimed to be taking over its infrastructure in what may have been an act of sabotage.

This disruption triggered a mass migration of experienced affiliates to other platforms, particularly Qilin, which capitalized on the turmoil with superior technology and generous affiliate payment structures.

Emergence of New Groups

The ransomware ecosystem continues to evolve with new entrants. New variants and groups in 2025 include AiLock, which operates under a RaaS model using multithreaded encryption with ChaCha20 and NTRUEncrypt, and Sinobi, whose data leak site closely resembles that of the Lynx ransomware group.

Geographic Targeting

The U.S. remains by far the most attacked country, with July seeing 223 victims, eight times greater than second-place Canada.

Critical Infrastructure Attacks

In July 2025 alone, researchers noted 25 possible critical infrastructure ransomware incidents targeting sectors such as government and law enforcement, energy and utilities.

Attack Vectors and Vulnerabilities

Commonly Exploited Weaknesses

Seven vulnerabilities stood out for their possible exploitation in ransomware campaigns in July 2025: CVE-2023-48788 (Fortinet FortiClientEMS SQL injection), CVE-2019-18935 (Progress Telerik UI deserialization), CVE-2025-5777 (Citrix NetScaler ADC out-of-bounds read), and CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, CVE-2025-49706 (Microsoft SharePoint vulnerabilities).

Initial Access Methods

Common initial access vectors include:

  • VPN exploitation (particularly SonicWall SSL VPN for Akira)
  • Phishing emails with malicious attachments or links
  • Exploitation of unpatched vulnerabilities in public-facing applications
  • Compromised Remote Desktop Protocol (RDP) services
  • Stolen credentials obtained through infostealers or previous breaches

Financial Impact and Ransom Economics

Ransom Demands and Payments

So far in 2025, 4,441 organizations have been publicly listed as ransomware victims, with more than 51% paying ransom, resulting in roughly 2,268 ransom payments with median payments averaging $1 million per breach.

Akira consistently demands ransom payments ranging from $200,000 to $4 million.

Recovery Costs

The financial impact extends far beyond ransom payments. Organizations face costs including:

  • Incident response and forensic investigation
  • Legal fees and regulatory fines
  • Business interruption and lost revenue
  • System restoration and data recovery
  • Reputational damage and customer compensation
  • Cybersecurity improvements post-breach

Long-Term Projections

Some experts predict that ransomware damage costs could exceed $265 billion by 2031.

Industry-Specific Impacts

Healthcare Under Siege

Healthcare remains one of the most heavily targeted sectors, with devastating consequences. The sector's criticality, valuable patient data, and often outdated IT infrastructure make it an attractive target.

Notable 2024-2025 healthcare attacks include:

  • Change Healthcare: 100 million individuals impacted, $2.457 billion in costs
  • Multiple Qilin victims with losses ranging from $6-40 million
  • Synnovis attack affecting multiple NHS hospitals

Manufacturing and Construction

Akira's October 2025 victims included multiple construction and manufacturing firms, with the group showing particular interest in companies that build or fix something, including construction management, floor covering, specialty doors, and electrical equipment installation.

The targeting of law firms like HSJ Lawyers LLP by 3AM highlights the value of privileged legal communications and case materials to threat actors.

Technology and Semiconductors

The RansomHouse attack on National Technology Co., Ltd. demonstrates the strategic targeting of semiconductor firms, with theft of TPM designs critical for securing connected vehicles and smart grids potentially enabling state-sponsored reverse engineering or supply chain compromises.

Defensive Strategies and Recommendations

Immediate Actions

1. Backup and Recovery

  • Implement 3-2-1 backup strategy (3 copies, 2 different media, 1 offsite)
  • Test restoration procedures regularly
  • Ensure backups are immutable and air-gapped from production networks

2. Vulnerability Management

  • Prioritize patching of internet-facing systems
  • Focus on commonly exploited vulnerabilities (VPNs, RDP, Microsoft products)
  • Implement virtual patching where immediate patching isn't feasible

3. Access Controls

  • Enforce multi-factor authentication (MFA) on all remote access
  • Implement least-privilege access principles
  • Disable or properly secure RDP access
  • Segment networks to limit lateral movement

4. Email Security

  • Deploy advanced email filtering and anti-phishing solutions
  • Conduct regular phishing simulation training
  • Implement DMARC, SPF, and DKIM email authentication

Detection and Response

1. Security Monitoring

  • Deploy endpoint detection and response (EDR) solutions
  • Implement 24/7 security operations center (SOC) monitoring
  • Enable logging and establish baseline normal behavior
  • Monitor for indicators of compromise (IOCs) from threat intelligence feeds

2. Incident Response Preparedness

  • Develop and regularly test incident response plans
  • Establish communication protocols with stakeholders
  • Identify critical systems and data for priority protection
  • Pre-establish relationships with incident response firms

3. Threat Intelligence

  • Subscribe to ransomware threat intelligence feeds
  • Monitor your organization's mention on dark web leak sites
  • Track vulnerabilities affecting your technology stack
  • Stay informed about emerging ransomware groups and TTPs

Organizational Resilience

1. Cybersecurity Culture

  • Conduct regular security awareness training
  • Establish clear policies for data handling and remote access
  • Create a culture where security concerns can be reported without fear

2. Vendor Risk Management

  • Assess third-party vendor security postures
  • Include security requirements in vendor contracts
  • Monitor vendors for data breaches that could affect your organization

3. Cyber Insurance

  • Evaluate cyber insurance coverage and requirements
  • Understand what is and isn't covered
  • Document security controls to support claims

The Psychology of Ransomware Operations

Professionaliz ation of Cybercrime

Modern ransomware groups operate with corporate-level sophistication:

  • Customer service representatives for negotiation
  • Professional website design and branding
  • Service level agreements with affiliates
  • Marketing and recruitment on underground forums
  • Specialized roles (developers, negotiators, data brokers)

Pressure Tactics

Ransomware groups employ various psychological pressure techniques:

  • Countdown timers on leak sites
  • Gradual data publication to demonstrate seriousness
  • Direct contact with executives, board members, or customers
  • Threats to notify regulators, competitors, or media
  • DDoS attacks during negotiations

Affiliate Economics

The RaaS model has democratized ransomware attacks:

  • Low barriers to entry for affiliates
  • Profit-sharing arrangements (typically 70-80% to affiliate, 20-30% to developer)
  • Technical support and tools provided by operators
  • Reduced risk for operators who maintain plausible deniability

Geopolitical Dimensions

Safe Havens

Many ransomware groups operate from jurisdictions with:

  • Lack of extradition treaties with Western nations
  • Limited law enforcement cooperation
  • Tacit government tolerance or support
  • Strong technical infrastructure

Qilin is thought to be based out of Russia or other former Soviet states, with affiliates worldwide becoming a significant global threat.

SpaceBears has a clearnet website hosted in Moscow, Russia, suggesting Russian-based operations.

Critical Infrastructure Targeting

The targeting of critical infrastructure raises national security concerns:

  • Healthcare system disruptions affecting patient care
  • Energy sector attacks threatening power grids
  • Transportation system compromises affecting logistics
  • Government agency breaches exposing sensitive information

Looking Ahead: The Future of Ransomware

Technological Evolution

Expect continued evolution in:

  • AI-assisted reconnaissance and social engineering
  • More sophisticated encryption and anti-forensics techniques
  • Cross-platform malware targeting Linux, Windows, and cloud environments
  • Integration of data destruction as additional pressure mechanism

Regulatory Response

Governments are implementing stricter measures:

  • Mandatory breach reporting requirements
  • Prohibitions on ransom payments to sanctioned entities
  • Critical infrastructure security mandates
  • International cooperation on cybercrime prosecution

Market Consolidation

The ransomware ecosystem may see:

  • Consolidation as smaller groups are absorbed or shut down
  • Increased competition among major RaaS platforms for affiliates
  • Specialization by industry or attack type
  • More sophisticated vetting of affiliates to avoid law enforcement infiltration

Conclusion

The simultaneous victim disclosures on October 3, 2025, by Akira, Qilin, SpaceBears, RansomHouse, and 3AM underscore the persistent and escalating threat that ransomware poses to organizations worldwide. Despite increased awareness, improved defenses, and law enforcement actions, ransomware attacks continue at historically high levels with increasingly sophisticated adversaries.

Qilin's dominance following RansomHub's disruption demonstrates the resilience of the ransomware ecosystem and the rapid adaptation of affiliates. Akira's continued success despite being nearly three years old shows that proven attack methods and reliable infrastructure retain their effectiveness. The emergence of groups like SpaceBears with their "corporate" appearance and data broker model illustrates the ongoing innovation in extortion techniques.

For organizations, the message is clear: ransomware is not a theoretical threat but an operational reality that demands comprehensive, layered defenses. The question is no longer if an organization will face a ransomware attack, but when—and whether it will be prepared to respond effectively.

The victims posted on October 3 represent real organizations with employees, customers, and stakeholders whose lives and livelihoods are affected by these attacks. Behind each leak site posting is a disrupted business, compromised personal information, and the difficult decisions about whether to pay ransoms to criminals.

As we move through the remainder of 2025, organizations must treat ransomware defense as a continuous process requiring constant vigilance, adaptation, and investment. The ransomware groups posting victims daily are counting on complacency—proving them wrong requires sustained commitment to cybersecurity excellence.

October 3, 2025 Victims Summary

Akira (3 victims):

  • Apricorn - Data security solutions
  • Displayit - Display technology
  • Dual Temp - HVAC/refrigeration engineering

Qilin (3 victims):

  • Mitchell Industries - Manufacturing
  • Saginaw Chippewa Indian Tribe - Native American tribal government
  • Shamir Medical Center - Israeli healthcare

SpaceBears (3 victims):

  • Ausil Systems - Technology
  • Gesimde Asociados - Spanish company
  • Esnova - Services

RansomHouse (1 victim):

  • GWP Engineering - Hong Kong/Singapore engineering firm

3AM (1 victim):

  • HSJ Lawyers LLP - Legal services

Total: 11 organizations across 5 ransomware groups

Industries Affected: Healthcare, manufacturing, construction, legal services, technology, government, engineering

Geographic Reach: United States, Israel, Spain, Hong Kong, Singapore

Sources: Ransomware.live, BreachSense, CISA, SecurityWeek, The Hacker News, Cyble, Barracuda Networks, Qualys, Cyberint, SOCRadar, WatchGuard, Fortra, BlackFog, Security Affairs, Arctic Wolf

This article will be updated as more information becomes available about these ransomware attacks and affected organizations.

Read more

Discord Hit by Third-Party Customer Service Data Breach: Government IDs and User Data Exposed

Discord Hit by Third-Party Customer Service Data Breach: Government IDs and User Data Exposed

Executive Summary Discord has disclosed a significant security incident involving unauthorized access to user data through a compromised third-party customer service provider. The breach, which occurred on September 20, 2025, exposed sensitive personal information including government-issued IDs, billing details, and support communications for users who had contacted Discord's

By Breached Company