There was a sharp increase in cyber criminal groups publicly posting stolen data online during the final quarter of last year, with posts surging by 50%, according to the latest quarterly threat report by Beazley Security.

A total of 12,800 vulnerabilities were published in Q4 2025. While only a small portion met the threshold for critical severity, that subset rose notably during the quarter, prompting Beazley Security Labs to issue an increased number of advisories to clients and stakeholders. High-impact campaigns targeting firewalls, Windows update infrastructure, and commonly implemented web frameworks demonstrated how attackers continue to abuse widely deployed and trusted platforms to scale their attacks.

The report suggests that the ransomware ecosystem continues to evolve with Akira dominating activity, representing the largest share of Beazley Security’s ransomware investigations, followed by Qilin. Together, they made up 65% of ransomware cases taken on by the cybersecurity firm.

Osiris emerged as a new and highly capable ransomware gang, with incident responders observing custom malware and tooling specifically designed to disable endpoint security controls. SHSL – a new extortion collective including ShinyHunters and Scattered Spider – scaled-up over the course of 2025 with aggressive social engineering campaigns and public data leak threats.

In a majority of cases (54%), threat actors gained access through compromised credentials accessing a VPN. This was followed by external service exploit (32%), social engineering (7%), compromised credentials accessing RDS (4%), and supply chain attack (4%).
Beazley Security added that once the attackers got in, they followed a fast ‘smash and grab’ approach, meaning they did not linger or spy for long. They typically launched ransomware and caused disruption within about a day.

Francisco Donoso, chief product and technology officer at Beazley Security, said: “In Q4 2025, threat actors consistently abused identity systems and internet-facing vulnerabilities to gain initial access to organisations. A notable number of intrusions leveraged zero-day vulnerabilities, leaving neither vendors nor clients with an opportunity to patch before exploitation occurred.

“Looking ahead to 2026, we expect threat actors to further operationalise AI-assisted tradecraft to accelerate reconnaissance, enhance social engineering, and scale early-stage intrusions, ultimately driving more automated, agentic attacks against exposed web applications.”

---