MOXFIVE Monthly Insights - March 2025
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

March Highlights

Ransomware activity remained high throughout March 2025, with several threat actors continuing to evolve their operations. This report highlights critical vulnerabilities leveraged by ransomware operators, including a zero-day privilege escalation flaw exploited in active campaigns. It also covers the most active ransomware variants, with RansomHub and Akira leading in volume, and outlines which industries were most impacted based on observed leak site data. Finally, we share a real-world case involving a phishing campaign during ransomware recovery and spotlight the value of proactive email security controls in stopping secondary threats.

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks.

• Windows CLFS Privilege Escalation Vulnerability (CVE-2025-29824): This zero-day vulnerability in the Windows Common Log File System (CLFS) allows attackers to escalate privileges to SYSTEM. The flaw was exploited by threat actors deploying RansomEXX ransomware in attacks during March. Full details and remediation guidance for CVE-2025-29824 are available from Microsoft here.
• Windows FAT File System Remote Code Execution Vulnerability (CVE-2025-24985): A critical remote code execution vulnerability in the Windows File Allocation Table (FAT) file system driver which could be exploited via specially crafted files. While there is no confirmed exploitation by ransomware groups to date, the vulnerability poses a high risk for initial access or malware delivery. More information is available from Microsoft here.

Several ransomware variants remained active throughout March 2025, with RansomHub and Akira leading in observed activity across both public leak sites and MOXFIVE cases.

• RansomHub first emerged in early 2024 operating under a ransomware-as-a-service (RaaS) model, offering affiliates a 90% commission rate, one of the most competitive rates in the ransomware landscape. This continues to make it an attractive option for threat actors, driving widespread adoption.
• Akira continues to be one of the most widely used ransomware variants, offered through a RaaS model with ongoing impact across most industries. Akira offers a unique “deliverable menu” of paid services, including decryptors and data deletion options.
• Qilin, Play, and Lynx followed as the next most active variants. While activity was slightly lower than the top two, each group maintained steady usage and continues to be observed in ongoing campaigns.

For a deeper look into these groups, MOXFIVE has published Threat Actor Spotlights on RansomHub, Akira, Qilin, and Lynx.

Technology and Manufacturing & Production were the most impacted industries in March, together accounting for nearly 40% of observed ransomware activity.

Healthcare, Professional Services, and Retail & Hospitality also remained frequent targets, reflecting continued threat actor focus on sectors where disruption can quickly impact operations and revenue. These rankings are based on observed ransomware data leak site (DLS) activity for impacted organizations in the United States.

Secondary Attack During Recovery
During a recent ransomware recovery engagement, MOXFIVE identified a coordinated phishing campaign targeting users within the impacted environment. The timing was strategic, as threat actors launched the campaign while the organization was still recovering from encryption, attempting to exploit uncertainty and re-establish access. Users received a wave of emails containing links to spoofed login pages designed to capture credentials.

Some users followed the links and submitted information before the campaign was reported, introducing the risk of secondary compromise during a critical phase of the recovery. MOXFIVE quickly moved to contain the threat, identify affected accounts, and assess whether any additional access had been gained.  

Email Security Solutions
In response to the phishing campaign, MOXFIVE quickly implemented an email security solution to contain the threat and prevent further exposure. The tool began blocking malicious emails in real time, ultimately quarantining thousands of messages that could have otherwise led to additional compromise. This immediate action helped stabilize the environment and allowed recovery efforts to continue without further disruption.

To improve resilience against similar threats, organizations should:

• Deploy a Secure Email Gateway (SEG): Filter suspicious messages, attachments, and links before they reach users.
• Enable Advanced Threat Protection (ATP): Detect and block credential phishing attempts through real-time scanning and sandboxing. ‍
• Use Actionable Threat Intelligence:  Use curated threat intelligence to block known phishing infrastructure, malicious URLs, and campaign-specific indicators.

Strong email controls play a critical role in reducing risk during both active incidents and ongoing operations. Implementing the right protections can stop targeted phishing campaigns before they reach users and disrupt incident response efforts.