Ransomware attacks have decreased in the third quarter At the same time, exploitations of public applications have increased, representing 60 percent of the incidents of said period, in which the Administration stands out as the most attacked sector, according to the latest Cisco Talos report.
Ransomware incidents represented approximately 20 percent of cases in the third quarter of 2025, compared to 50 percent in the previous period; a decline that experts from Cisco’s cyber intelligence division see as something temporary, since ‘ransomware’ continues to be one of the most persistent threats to organizations.
In this period, Cisco Talos identified three new ‘ransomware’ variants: Warlock, Babuk and Kraken, along with known threats such as Qilin and LockBit. Qilin.
One of the malware attacks investigated by Talos was attributed to Storm-2603, a group believed to operate from China that used the legitimate security tool Velociraptor to gain greater visibility into computers and networks, with the aim of collect data, monitor activity, and maintain control after infiltrating.
This data is collected in the incident response technology company’s report, which documents the trends observed by Cisco Talos Incident Response (Talos IR) during the third quarter of 2025.
It also highlights the increase in exploitation of public applicationswhich represent the 60 percent of incidents detected in this quarter, compared to 10 percent in the previous quarter.
They link this rebound mainly to a wave of attacks that explode newly disclosed vulnerabilities in Microsoft SharePoint servers locals via the ToolShell attack chain. The first known exploit occurred a day before Microsoft’s advisory, and the majority of incidents handled by Talos occurred in the following ten days.
Furthermore, approximately 15 percent of the incidents recorded during the quarter involved unpatched infrastructure, highlighting the importance of rapid patching and proper segmentation in defense strategies.
Additionally, nearly a third of incidents this quarter involved attackers avoiding or They exploited multi-factor authentication (MFA), often using techniques such as bombarding users with repeated login requests (MFA bombing) or exploiting weaknesses in MFA configurations.
THE PUBLIC SECTOR, MAIN OBJECTIVE
For the first time since Talos began its analysis in 2021, government organizations, especially local administrations, were the most frequent targets of cyberattacks.
These organizations provide critical services such as education and health, but usually They operate on limited budgets and obsolete technology. Both financially motivated threat actors and a Russian-affiliated APT group primarily targeted local governments.