LockBit Ransomware Group Returns to Top 10 with 112 Victims in December
This summary outlines LockBit’s resurgence in the ransomware landscape, claiming 112 victims in December 2025 using the LockBit5 variant, primarily targeting manufacturing, technology, and construction sectors, amid concerns over operational security lapses.
Resurgence and Victim Profile
LockBit re-emerged prominently after a period of dormancy from June to November 2025, during which it claimed no victims and dropped from the top rankings. In December, the group listed 112 victims on its data leak site, propelling it back into the top 10 ransomware actors. The LockBit5 ransomware variant was deployed across these attacks. Primary targets included manufacturing firms, technology companies, and construction entities, with secondary focus on transportation, financial services, and healthcare organizations. This shift suggests a strategic rebuilding of infrastructure and affiliate networks during the inactive phase.
Technical Characteristics of LockBit5
The LockBit5 variant employs advanced encryption techniques, utilizing ChaCha20 for symmetric encryption combined with RSA-4096 for key exchange, ensuring rapid file encryption and exfiltration. It features anti-analysis mechanisms such as string obfuscation, dynamic API resolution, and checks for virtual machine environments to evade detection. Post-encryption, it appends the .lockbit extension to files and drops a ransom note with Tor onion links for negotiation. Network communications are hardened with domain generation algorithms (DGAs) to rotate command-and-control (C2) servers, complicating takedown efforts.
Operational Security Challenges
Despite the comeback, LockBit faces scrutiny due to repeated OPSEC failures. Leaked infrastructure details, including domains and IP addresses, have been exposed, potentially from internal compromises or affiliate disputes. Historical incidents reveal poor compartmentalization, with developers’ personal data and source code snippets surfacing on rival forums. These leaks enable defensive measures like sinkholing C2 domains and preemptively blocking leaked IPs, questioning the sustainability of their operations.
Implications for Defenders
Organizations in targeted sectors should prioritize endpoint detection and response (EDR) tools capable of behavioral analysis to detect LockBit5’s multi-stage loaders. Regular backups isolated from networks, coupled with patch management for known RCE vulnerabilities in RDP and VPNs—common initial access vectors—mitigate risks. Threat hunting for DGA-generated domains and anomalous encryption activity is essential.
Qilin Ransomware Targets Shift to Asia with 183 December Victims
Qilin led ransomware claims with 183 victims in December 2025, showing a decline after aggressive leaks campaigns and a pivot toward East and Southeast Asian organizations, including Malaysia and the Philippines.
Decline Following Leaks and Regional Focus
Qilin dominated December victim counts despite a downward trend post its Korean leaks campaign. While historically US-centric, recent operations emphasized East and Southeast Asia, with notable breaches in Malaysia and the Philippines. This geographic diversification may stem from saturated Western markets or law enforcement pressure in primary regions.
Ransomware Payload Mechanics
Qilin’s payload implements AES-256 encryption in CBC mode, paired with Curve25519 for asymmetric key derivation. It incorporates a wiper component to shred master boot records (MBR) on unencrypted drives, heightening recovery difficulty. Exfiltration precedes encryption via HTTP/3 to C2 servers, supporting massive data theft. The builder customizes ransom notes with victim-specific shaming pages on dedicated leak sites.
Attack Chain Analysis
Initial access often exploits unpatched Citrix NetScaler or Fortinet FortiGate appliances via zero-days. Lateral movement leverages Mimikatz for credential dumping and Cobalt Strike beacons for persistence. Privilege escalation targets SeDebugPrivilege via token impersonation. Defenses should enforce zero-trust network access (ZTNA), multi-factor authentication (MFA) on admin accounts, and least-privilege segmentation.
Strategic Implications
The Asian pivot underscores Qilin’s adaptability, exploiting regional variances in cybersecurity maturity. Organizations should monitor for phishing lures tailored to local languages and deploy extended detection and response (XDR) for cross-domain correlation of exfiltration and encryption precursors.
Coinbase Cartel Escalates Healthcare Attacks in UAE
The Coinbase Cartel, evolving from data theft to ransomware, claimed 11 UAE healthcare victims in December 2025, comprising 50% of their targets, exploiting legacy systems and IoT vulnerabilities.
From Data Brokering to Ransomware
Originally focused on data exfiltration and brokering, Coinbase Cartel expanded to ransomware, hitting 11 UAE healthcare providers in December. Healthcare’s appeal lies in sensitive patient data, critical operations, and prevalent legacy systems interfacing with IoT medical devices.
Technical Exploitation Tactics
Attacks commence with phishing delivering Qakbot or TrickBot, establishing footholds. Ransomware deployment uses Ryuk-like variants with Salsa20 encryption and ECC key pairs. IoT targeting involves weak default credentials on infusion pumps and imaging systems, enabling network pivots. Data is staged via Rclone to MEGA.nz before encryption.
Sector-Specific Vulnerabilities
Legacy electronic health record (EHR) systems like Epic pre-2020 versions harbor unpatched SMBv1 exposures. Medical IoT lacks runtime integrity checks, allowing firmware tampering. Mitigation demands air-gapped backups, network micro-segmentation isolating clinical devices, and firmware signing enforcement.
Response Recommendations
Healthcare entities must conduct IoT asset inventories, implement device-level firewalls, and simulate ransomware via purple team exercises focusing on recovery time objectives (RTOs).
n8n Automation Platform Maximum-Severity Vulnerability Exposes 100,000 Servers
A critical, unauthenticated flaw in n8n automation platform jeopardizes approximately 100,000 internet-exposed servers to remote code execution (RCE) and takeover.
Vulnerability Details
The maximum-severity bug, tracked as CVE-2025-XXXX, resides in n8n’s workflow execution engine, allowing unauthenticated RCE via crafted HTTP requests. No login required, it affects versions prior to the January 2026 patch.
Exploit Mechanics
Attackers send POST requests to /api/v1/workflows/ with malicious JavaScript payloads evaluated server-side due to improper input sanitization in the node evaluator. This triggers command injection via child_process.spawn, enabling shell access. Chaining yields root privileges on misconfigured Docker hosts.
Scope and Impact
Shodan scans reveal ~100,000 exposed instances, many in cloud environments. Post-exploitation, attackers implant webshells, mine cryptocurrency, or pivot to internal assets. Detection involves logging anomalous /api endpoints and YARA rules for injected processes.
Remediation Steps
Immediate patching to v1.XX.X, exposure minimization via firewalls restricting to trusted IPs, and runtime security like SELinux. Scan for indicators of compromise (IoCs) including unusual node executions.
Cisco ISE Critical Bug with Public Proof-of-Concept
Cisco patched a high-severity flaw in Identity Services Engine (ISE) and Passive Identity Connector, enabling privileged attackers to access sensitive data; a PoC exploit circulates publicly.
Flaw Description
CVE-2026-XXXX in ISE 3.3 and ISE-PIC allows admin-privileged remote attackers to extract credentials and configs via improper access controls in the REST API.
Technical Breakdown
The issue stems from exposed /admin/API/mnt/ endpoints lacking authorization checks, dumping RADIUS shared secrets and sponsor portal hashes. PoC uses curl to enumerate and exfiltrate, crackable via Hashcat.
Attack Scenarios
Compromised service accounts trigger lateral movement to Active Directory integration. Patch immediately, audit API logs for unauthorized GETs, rotate all extracted secrets.
Best Practices
Enforce role-based access control (RBAC), enable ISE’s pxGrid for anomaly detection, and segment management networks.