Ransomware and ToolShell Attacks Targeting Public and Private Sectors
Threat actors have increasingly exploited public-facing applications, particularly on-premises Microsoft SharePoint servers, to gain initial access to organizations, with a significant rise in attacks attributed to the ToolShell attack chain. Cisco Talos Incident Response reported that over 60 percent of their recent engagements involved this vector, a sharp increase from the previous quarter, and noted a shift in ransomware activity, with new variants such as Warlock, Babuk, and Kraken observed alongside established families like Qilin and LockBit. The use of open-source DFIR tools like Velociraptor for persistence was also documented, marking a novel tactic in ransomware operations, and some attacks were linked to the China-based group Storm-2603.
Ransomware continues to pose a persistent threat, particularly to public sector organizations, with Trustwave reporting nearly 200 government entities worldwide victimized in 2025 alone. Babuk and Qilin have been identified as the most active ransomware groups targeting the public sector, causing significant operational downtime, service outages, and financial losses. The evolving tactics of ransomware actors and the increasing exploitation of vulnerabilities in public-facing applications underscore the need for robust segmentation and rapid incident response measures across both public and private sectors.
Timeline
Oct 22, 2025
Public sector ransomware attacks continue through 2025
Trustwave reported that ransomware attacks against public sector organizations were still occurring as of its October 2025 publication, indicating an ongoing campaign trend affecting government-related entities. The reference does not provide a specific incident date beyond the publication timeframe.
Sep 30, 2025
ToolShell attacks dominate Talos IR cases in Q3 2025
Cisco Talos reported that ToolShell-related intrusions were the dominant incident response trend in the third quarter of 2025, underscoring the importance of network segmentation and rapid response. This reflects activity occurring during the Q3 2025 period rather than a single isolated incident.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
ToolShell Exploit Drives Surge in Attacks on Microsoft SharePoint Servers
A significant increase in attacks targeting public-facing applications has been attributed to the exploitation of the ToolShell vulnerability in on-premises Microsoft SharePoint servers. According to Cisco's latest Quarterly Trends report, over 60% of recent Talos Incident Response cases involved attacks on public-facing applications, with nearly 40% specifically linked to ToolShell activity. The surge is tied to two major SharePoint vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which have been actively exploited since mid-July 2025. China-based threat groups Linen Typhoon and Violet Typhoon have been identified as the primary actors behind these campaigns, focusing on sectors such as government, defense, academia, and nonprofits. The majority of incident response engagements related to ToolShell began within ten days of the vulnerabilities' disclosure, underscoring the rapid weaponization and exploitation by threat actors. Security experts warn that unpatched SharePoint servers present a critical risk, enabling attackers to move laterally within networks and potentially deploy ransomware. Cisco emphasizes the importance of robust network segmentation and timely patching to mitigate these threats. The exploitation of ToolShell highlights the ongoing challenges organizations face in defending public-facing applications and the need for proactive vulnerability management to prevent large-scale compromise and operational disruption.
1 months ago
Public Sector Cybersecurity Threats and Ransomware Trends
Government organizations worldwide are facing escalating cyber threats, with ransomware and extortion attacks sharply increasing in frequency and sophistication. Over 117 US federal and state entities were impacted in 2024, and attackers are increasingly targeting third-party providers and leveraging new tactics such as data extortion without encryption. The MOVEit and GoAnywhere supply chain breaches have had lasting repercussions, exposing sensitive data from government-linked organizations. Attackers are also employing advanced techniques, including the use of AI for phishing and deepfakes for social engineering, further complicating defense efforts. International coalitions, such as the Counter Ransomware Initiative (CRI), are urging stronger supply-chain cyber defenses and coordinated global action, highlighting the immediate and urgent threat ransomware poses to national security and economic stability. Despite some progress in reducing ransomware payments, attacks continue to disrupt major companies and public sector entities worldwide. The CRI, now comprising 61 countries and six international organizations, has released new guidance emphasizing the need for improved cyber hygiene and legislative action to address supply-chain vulnerabilities. Critics warn that legislative gaps persist, leaving critical systems exposed, while the ongoing digital transformation and prevalence of legacy systems in the public sector further increase risk. The convergence of these factors underscores the urgent need for comprehensive cybersecurity strategies and international cooperation to bolster resilience against evolving threats.
1 months ago
Cisco Talos Reports Exploitation of Public-Facing Apps as Leading Initial Access Vector
Cisco Talos Incident Response reported that **exploitation of public-facing applications** remained the top initial access method for a second consecutive quarter, appearing in **nearly 40%** of Q4 2025 engagements (down from **60%+** in Q3, when **ToolShell** activity surged). Talos highlighted rapid attacker uptake of newly disclosed vulnerabilities, including **Oracle E-Business Suite** `CVE-2025-61882` and **React2Shell** `CVE-2025-55182` (impacting React Server Components/Next.js and related frameworks), with exploitation observed around the time the issues became public—reinforcing the operational risk of internet-facing enterprise apps and default framework deployments. The same Talos reporting noted **phishing** as the second most common initial access vector, including a credential-harvesting campaign targeting **Native American tribal organizations** that used compromised legitimate accounts to propagate additional internal phishing. **Ransomware** represented roughly **13%** of engagements (down from ~20% the prior quarter and far below early-2025 levels), with **Qilin** continuing to feature prominently and no previously unseen ransomware variants observed. Separate coverage amplified Talos’ findings as a call for **faster patching**, citing examples where proof-of-concept code and exploitation activity emerged within hours to ~30 hours of disclosure for high-profile bugs like React2Shell and Oracle EBS.
1 months ago